Something to keep in mind is that the datasets being shared with Troy are almost all already available on underground forums, some openly, some for sale.
Raidforums and similar have them. You occasionally find them on reddit and small security blogs. I collect data breaches, and usually by the time you hear about one on HIBP it’s making the rounds on a variety of forums. Only on a few occasions has Troy actually gotten anything exclusive.
I don't know any off the top of my head (no, really.) but I'd bet searching DDG for "Hidden Wiki" and using tor hidden services would get you in the right direction, and probably put on a watch list or two.
Its quite interesting putting in various peoples email addresses to see what sites they are linked to. Maybe once he has made some money out of it, a GDPR claim and financial settlement can be made as he's made no steps to control the data privacy of Europeans.
Yes, you're right, I'm sure that the guy who is at the forefront of campaigning about personal data protection, has been running this service for years, has advised governments on privacy breach regulation, and has contracts to help european governments monitor their domains for breaches, has no idea whatsoever about the most prominent personal data regulation regime in the world.
Authorities now handling it, out of my hands. I dont want my details appearing on that website so anyone who knows me can put my email addresses (past and present) to see what hacked sites or databases its appeared on.
It looks like he's based in Australia, so Europeans wouldn't have to worry too much about having tariffs rained down upon them in retribution. I say go for it.
Does this really fall foul of GDPR? I would have guessed that once your data is in the wild, there is nothing in GDPR that applies. GDPR puts certain responsibilities on groups you give your data to treat that data in certain ways in terms of who it is shared with, which would not seem to apply to someone offering a lookup of an in the wild dataset.
I'm curious if my naive understanding of this is wrong.
I’m not sure how GDPR applies to HIBP. GDPR is all about data that is shared by the user. But HIBP is about data that hasn’t been shared by a user, but rather, is available publicly.
You're not wrong, but purely from a practical standpoint, your data is out there and without a service like this to hold these companies to account, they could cover things up/downplay the situation/be too incompetent to know they've leaked data.
An operation like this levels the playing field and lets us collectively hold companies to their responsibilities.
"The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances,[2] the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation does not apply to the processing of data by a person for a "purely personal or household activity and thus with no connection to a professional or commercial activity." (Recital 18) "
The EU laws apply to people and entities outside of the EU, he is not immune from these EU laws because he is affecting the lives of every European who has an email address in this website.
Only if in possession of the email address or domain name.
Where an email address or domain name has been taken over by someone else, then sending the results to the email address instead of currently showing it on the webpage doesnt solve the problem. This data set is ripe for blackmailers, intelligence services and any company looking for intelligence on rival businesses.
...if the password for said email address is already visible on the same page (assuming negligent password reuse) what kind of verification could you hope for?
