is haveibeenpwned safe reddit - Brave Search

Is ‘haveibeenpwned’ safe?

reddit.com › r › techsupport › comments › 1ar1clg › is_haveibeenpwned_safe

It's safe -- You can even put your password in there to check. The way it works is pretty clever: Your password gets hashed, and the first 5 characters of that hash are sent to the server Server responds with all known passwords that have a hash that share the same first 5 characters The password you entered is compared to the list of passwords returned (this step is done entirely in your browser) https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity Answer from bothunter on reddit.com

reddit.com › r/techsupport › is ‘haveibeenpwned’ safe?

r/techsupport on Reddit: Is ‘haveibeenpwned’ safe?

February 14, 2024 -

Im really paranoid about data breaches and i just really wanna know

It's safe -- You can even put your password in there to check. The way it works is pretty clever: Your password gets hashed, and the first 5 characters of that hash are sent to the server Server responds with all known passwords that have a hash that share the same first 5 characters The password you entered is compared to the list of passwords returned (this step is done entirely in your browser) https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

Yes it's safe. Your data can't be breached by just entering an email address anyway.

reddit.com › r/privacy › is haveibeenpwned.com safe?

r/privacy on Reddit: Is haveibeenpwned.com safe?

June 20, 2024 -

Not sure whether to use it or not, as I’m worried about it’s safety

Yes, it's safe. The data you enter in to the forms are not submitted to or stored by the haveibeenpwned website.

The creator is very well respected in the industry. One of the good guys

Videos

Have I been pwned? 😱 - YouTube

This FREE Cyber Security Service Is A Total MUST HAVE - ...

Can You Trust HaveIBeenPwned Password Checker? - YouTube

November 24, 2019

Protect Your Passwords: How to Check If You've Been Pwned

reddit.com › r/privacy › beware the fakesite havelbeenpwnd

r/privacy on Reddit: Beware the fakesite havelbeenpwnd

June 20, 2025 -

Due to the recent breach news, a lot of people are checking to see if they were involved. Be careful if searching for haveibeenpwned on certain browsers like duckduckgo. Anywhere from the second to the fifth result is a fake site called havelbeenpwnd.com. It will load the old version of the website and can even link to the new version if navigated on. However, any search leads to a 404 error.

This fake site is actually named: have l(lowercase L) been pwnd(no e here).com. Others suspect it is a data harvesting site at the least. The real site is haveibeenpwned.com. Posting this to potentially help others to avoid this pitfall in privacy.

*Edited for clarity.

I haven’t used the site in a while, but I’ve wondered if this would happen at some point. Thanks for the heads up.

Oh wow... piece of absolute shit doing a "bad URL" exploit... Thanks for informing us.

reddit.com › r/techsupport › is the site haveibeenpwned a legit page?

r/techsupport on Reddit: Is the site haveibeenpwned a legit page?

September 16, 2022 -

today ive been trying to keep my account secure over scam anti virus software that I have installed. someone recommended me this site to see if any personal info of mines has been leaked. ran a scan and everything seems to be good for now? i then also did a scan for the site itself after words on virus total and it gave me a message saying "1 security vendor flagged this URL as malicious". not sure if I should be concerned abt that information and hopefully this site isn't a scam innit of itself

Assuming you visit the real one, it's THE most well known site to check if your email address is found in 1 of numerous data leaks.

"have i been pawned" is a great site. all it does is look up if you email is associated with any breeches. It is not a scam site

reddit.com › r/privacy › how safe is haveibeenpwned.com?

r/privacy on Reddit: How safe is haveibeenpwned.com?

April 7, 2023 -

Is it safe to use haveibeenpwned.com? Do they store the e-mail/phone number you search? Those who understand back-end processing, please enlighten me on the site.

The site is run by a white hat hacker, Troy Hunt. It allows you to search any email address, which is already in the database of hacked accounts. Nothing is stored, and even if it was, nothing particularly useful would come of it. The only exception is for sensitive breaches, like Ashley Madison for example. In that case, you need to verify the email address is yours before information is returned regarding it. I can't quite remember the details why. Signing up for breach alerts is another option, which many other services already offer. But that stuff is made very clear. It's a bit of a paradox, that a site like that looks much scarier than the initial sites that breached to the data to begin with. LinkedIn looks safer than HIBP. Looks can be deceiving.

Troy Hunt is a renowned security expert, working for Microsoft. He did consider to give someone else the responsibility for this site some years back. But he got cold feet when realising those willing to take that task didn't necessarily have the purest intentions with the site data, and it would not be in the best interest of its users. Not too long after, he started selling the API access to sites wanting to query if usernames, e-mail addresses, etc was comprised. I believe this service can also do API callbacks when their users is caught in a compromise. This service offering mostly funds HIBP, in addition to other donations. I have several of my own domains listed there, and occasionally I do get some warnings when new breaches are registered. That often explains quite well when an e-mail address is getting a lot more unexpected spam or phishing attempts.

reddit.com › r/antivirus › questions about haveibeenpwned

r/antivirus on Reddit: Questions about haveibeenpwned

January 16, 2025 -

Hello so i know this is stupid since i can just research it and find the answer easily but im currently sick right now and i can barely remember stuff so im making a post just so i can remember and check when im not sick anymore

This is also for both me and my friend and hes a little paranoid so im making a post to also check if its real

So is the real site is the one in the picture and what do i do if it found a data leak? Do i just change password? And how do i check if its a old password? I havent used it so i dont know

Yes it's real. It only tells you if your login email was in a breach. It doesn't have or the ability to compare legacy passwords. Assume if the account is there...everypassword you used on it is burnt. Also don't reuse passwords. Once a single breach is found they will credential stuff that user pass combo everywhere.

Yes that is the real site. You go onto the site, type your email, and it will tell you what site had the data breach (most commonly, though I believe it can show public infostealing dumps if indexed) and when it happened. If you keep track of your passwords, from there you should be able to figure out which password is now “known”, and change everything that uses it to a different password.

reddit.com › r/passwords › does it really make sense to use have i been pwned?

r/Passwords on Reddit: Does it really make sense to use Have I Been Pwned?

March 29, 2025 -

I’ve been wondering how effective HIBP actually is. When a site gets breached, the leaked data is often sold or circulated in private before it’s added to public forums on dark web and then to breach databases like HIBP. By the time my password shows up there, it might be too late to do anything useful.

Also my email - unless it is unique, random address, it is visible in public web anyway. So why should I look for it on dark web?

Your the only one that will have your own unique email - otherwise your mail would never arrive. When YOUR user name password combo is breached it's better to know than to not, so you can decide what's best for you. Better still - use unique passwords over every website for prevention.

Passwords are not always compromised through websites. They can be stolen by info-stealer malware on your own computer, which you may not even notice. Due to the large volume of stolen data, these databases are placed for sale to scammers. Unless you're a very specific target (like a public figure) you have chance to find your password earlier.

reddit.com › r/cybersecurity › haveibeenpwned malicious purposes

r/cybersecurity on Reddit: HaveIBeenPwned malicious purposes

June 29, 2024 -

I believe many of you are familiar with the website haveibeenpwned.com. I recently checked it using an old email of mine and discovered that my address appeared in 11 data breaches 😅. This got me thinking:

Is haveibeenpwned.com not an ideal tool for blackhats? If someone is trying to find a victim's credentials, they could use this site to identify which breaches to target. From there, wouldn't it be relatively straightforward to obtain some hashes? Or is locating these data breaches the challenging part?

Wait untill you hear about DeHashed

Troy Hunt has a good write up of how the data is used in the FAQ section. Edit: Sorry, should've added, yes it is a bit of a pointer to breached datasets for simpler cracking. That being said, the bigger risk isn't what the contents contain it's when people use the same password repeatedly for other services. 2FA has become a standard for a reason now

Find elsewhere

Google Bing Mojeek

reddit.com › r/privacy › turns out i have been pwned, what now?

r/privacy on Reddit: Turns out I HAVE been pwned, what now?

November 21, 2024 -

I usually check haveibeenpwned.com every year or so and it's always come back negative for any breaches, until now. Turns out my info has been in 3 breaches in just the last 6 months, so what would be the best course of action here?

Use a dedicated pw manager, 1 random unique pw per service. Bitwarden, keepass, protonpass etc. Activate totp 2fa whenever possible. Ente auth, 2fas, keepass etc. Use a dedicated email alias service, 1 unique address per service. Simplelogin, addy.io, duck.com, firefox relay etc. Basically to clean up your digital opsec.

A few things to consider: - Change your email address for everything. Dedicated emails for different services, for example Gaming, Shopping, Personal, Work, Throwaway. - Change your passwords. Use a password manager like Bitwarden and generate long complex passwords or passphrases. NEVER save passwords in a browser. - Enable 2FA on everything possible. Yes, I know this is obvious but you would be really surprised to know that many people stil don't use 2FA in 2024. This is an obvious recommendation, but stop using the same email address for everything. My friend used to use 1 email address for everything (banking, personal, work, gaming, shopping and random sites). He almost lost everything because of this. Don't be my friend.

reddit.com › r/netsec › haveibeenpwned.watch - open-source, no-fluff charts showcasing haveibeenpwned.com's pwned account data

r/netsec on Reddit: haveibeenpwned.watch - Open-source, no-fluff charts showcasing haveibeenpwned.com's pwned account data

June 23, 2025 -

After discovering that the haveibeenpwned.com data is accessible via the API and noticing the lack of a visualization tool, I dedicated a few evenings to building haveibeenpwned.watch. This single-page website processes and presents data on leaks from Have I Been Pwned, with daily updates.

The site provides details on the total number of recorded breaches, the number of unique services affected, and the total accounts compromised. Charts break down the data by year, showing the number of breaches, affected accounts, average accounts breached per year, accounts by data type, and accounts by industry. Additionally, tables highlight the most recent breaches, the most significant ones, and the services with the highest number of compromised accounts.

Though simple, the website can be a useful resource for use cases like strategic security planning, cybersecurity sales, risk assessment, or simply tracking trends in the security landscape.

The website is open source, with its repository hosted on GitHub.

Troy's site was breached?

Time since breach date to publish in HIBP What's the time unit?

reddit.com › r/privacy › is it safe to check my passwords using have i been pawned?

r/privacy on Reddit: Is it safe to check my passwords using Have I Been Pawned?

April 19, 2019 - is there any way to navigate this increasing problem of lowering privacy...without losing your mind? ... I am frustrated by these attacks on our privacy. ... YSK You can check if your email or phone number are compromised for free at haveibeenpwned.com, and it will tell you exactly how the leak occurred

reddit.com › r/asknetsec › is haveibeenpwned accurate???

r/AskNetsec on Reddit: Is haveibeenpwned accurate???

November 4, 2021 -

I have heard about haveibeenpwned and checked if my email or password was pwned but it wasn't still I recieved login attempt on instagram so is it accurate ?

But there was data breach from instagram of 2.6 million users same day when i got login attempt..

Note - I have not clicked any phis link etcc.....

There are likely tons of credentials that have been stolen that we don't know about. Haveibeenpwned only knows of the ones that have been publicly discovered and disclosed. It's not like they magically know everyone affected by every single hack in existence. If you're getting login attempts and you're worried about it, you should probably enable 2FA and change your password to something you've never used before... or get a decent password manager that can handle both.

While Instagram may have had a breach it doesn't mean your data was compromised. Haveibeenpwned say it doesn't have all the breaches. It's an imperfect, but a good tool. It can only work with the info it is given. If it was a recent breach then haveibeenpwned would need to verify the info before putting in their databases. I believe haveibeenpwned only put your info in their databases if it's been shown available somewhere. So if there has been a breach and the hacker doesn't post the info it wouldn't be in haveibeenpwned. Someone can try to log into your account even if there has been no breaches to a site. An attempted login doesn't mean your info from that site was compromised. Someone could just be trying random emails or found an email/password for another site and trying it on another. Enable 2FA if available and don't reuse passwords.

reddit.com › r/privacy › haveibeenpwned.com passwords

r/privacy on Reddit: HaveIBeenPwned.com Passwords

January 26, 2022 -

I know this website is safe to check your email addresses. I noticed that there is a 'Passwords' section and you can enter your passwords in there to see if they have been breached.

This might sound like a stupid question, but is it actually safe to enter your password here to check to see if it has been breached?

its not a stupid question. id rather not do it by password.

They claimed to use k-anonymity if you trust them. The page source shows that it requires java script to use and employ google analytics. Here's a link for using k-anonymity to check password breaches by cloudflare who handle and caches the api used in https://haveibeenpwned.com/Passwords

reddit.com › r/steam › looked up gaben's email on have i been pwned

r/Steam on Reddit: Looked up Gaben's email on Have I Been Pwned

September 13, 2024 -

the photos don't even show half of them 😭😭

also club penguin's in there😭

These emails are probably just trolls that use his email to sign up to stuff. Gaben has openly admitted that he reads all his emails so the people doing this are probably just wanting to troll him. His valve email is most definitely not what he uses personally.

Zygna being recognized as the creator of words for friends and not FarmVille makes me feel old as shit

reddit.com › r/sysadmin › passwords from breaches - how insecure are they really?

r/sysadmin on Reddit: Passwords from breaches - how insecure are they really?

July 10, 2023 -

Doing a password audit to make sure that we don't have any truly terrible passwords sitting out there. Typical best practice and NIST say you shouldnt be using passwords that were part of a breach. I ran our hashes against the haveibeenpwned list and we got a few hits. Then I started thinking, the haveibeenpwned list contains hundreds of millions of passwords, over 613 million. There are enough in there that you can pick a good password and it still be in a breach and therefore a "bad" one. If I'm trying to protect against a password spraying attack - how critical is it to include all 613 million passwords as bad? If I have a user with the password "password1" and another user with the password "ch%^7d5vjsFHrd5(jd*6" is it worth it to treat them the same? If I was an attacker conducting a password spray attack I'd grab the top 100 passwords by frequency and run with those.

If I have a user with the password "password1" and another user with the password "ch%^7d5vjsFHrd5(jd*6" is it worth it to treat them the same? If you're dealing with hashed passwords, how are you going to know which is which?

Many people reuse the same password over. Also haveibeenpwned is geared more towards personal users, but if they use the same password for work accounts and home accounts then they are putting the work accounts at risk.

reddit.com › r/privacy › how has haveibeenpwned.com worked for you, has it ever not worked? it didn't list my breached netflix account.

r/privacy on Reddit: How has haveibeenpwned.com worked for you, has it ever not worked? It didn't list my breached Netflix account.

June 9, 2023 -

I had put in my email once years ago and thought I'd get notified after that of any breaches. I was wondering how some strangers got a hold of my Netflix account, and I found it out it was in a data breach when going through my iCloud passwords. I looked back at the site and I didn't actually opt into email notifications. However, when I put my email in again to check, it didn't list the Netflix account as part of being pwned.

I don't think there has been a Netflix breach in the way you are imagining. If your Netflix account was compromised, it was probably because you were using weak passwords or reusing passwords that were found in a breach from a different service.

Apple uses the haveibeenpwned API to check for breached passwords. Have you tried putting the breached password into haveibeenpwned?

Have I Been Pwned

haveibeenpwned.com › PwnedWebsites

Have I Been Pwned: Who's Been Pwned

Every breached website added to Have I Been Pwned appears here on the Who’s Been Pwned page. As of today, there are 929 breached sites listed.

reddit.com › r/privacytoolsio › is safe to subscribe to "have i been pwned?"?

r/privacytoolsIO on Reddit: Is safe to subscribe to "have i been pwned?"?

July 28, 2021 -

Subscribe is necessary to search in sensitive breaches. Does have i been pwned? has a good reputation of being privacy-friendly?

Troy Hunt is a very well-known, respected, security guy. There was a brief moment when he was thinking of selling HIBP, and then all bets would be off, but that didn't happen. As long as Troy is running it directly, I'm comfortable with the idea of subcribing. The problem is what happens if he ever does sell it. Sure, in the beginning the acquiring company will make all sorts of assurances, but we know how that works.

Yes. HIBP are highly respected, so maybe think of it this way. If you did NOT subscribe, what would you gain? You would NOT have given your e-mail addresses to someone. If you DID subscribe, what would you gain? You would be notified of any known data breaches involving websites and web accounts that already have your e-mail addresses on file. 1Password, Bitwarden and Enpass password managers all rely on HIBP for their data breach checks. So you have highly respected companies whose reputations and businesses are directly linked to their faith in HIBP's trustworthiness. Use alias e-mails such as AnonAddy, SimpleLogin etc. for your online accounts, and if a breach does occur an e-mail can be ended and its replacement recreated quickly.

reddit.com › r/techsupport › am in danger if i have been pwned once?

r/techsupport on Reddit: Am in danger if I have been pwned once?

July 3, 2024 -

I checked the Have I been Pwned and it says I have been exposed to one data breach. Am I in danger - I know it's only one but I'm still worried about it.

Only once? Those are rookie numbers! Start using the internet dude! Have a password manager, random password everywhere and laugh at those breaches.

Use a decent password manager. I'm sold on 1Password now after switching from Lastpass. I'm in 39 breaches, which isn't that many given how many American's think my email is that of their favrourite radio station...

reddit.com › r/hacking › how dangerous are data breach warnings from haveibeenpwned?

r/hacking on Reddit: How dangerous are data breach warnings from haveibeenpwned?

February 29, 2024 - Ask the community and try to help others with their problems as well. Note: Reddit is dying due to terrible leadership from CEO /u/spez. Please use our Discord server instead of supporting a company that acts against its users and unpaid moderators. ... I checked the haveibeenpwneed, site,and i discovered my data was leaked.