For personal use: To know what services you use have been breached. You can then follow it up with ensuring you rotate the password on that site/service.

If they have other PII of yours, it's a heads up that scammers might target you and/or your family with that information.

For work use: To monitor which sites/services employees use with work email addresses, and use it as a reminder/re-enforcement that they should rotate credentials used on that service, and if they're reusing them at work - to change there, too.

Your identity isn't a problem! Its the password bit.

Until it is

https://en.wikipedia.org/wiki/Ashley_Madison_data_breach

Using different random email aliases for each service is as much best practice as is different random passwords.

I have my own mail server and setup a catch all alias to a single account. So I can generate -- on the fly -- e-mails for services.

- Apple: me.apple@example.com - Google: me.google@example.com - Uber: me.uber@example.com - Tinder: me.tinder@example.com - random business: me.randombusinessname@example.com

This helps me with the following:

- unique usernames and passwords for each service

- easily able to tell when a service sells my information or gets hacked/breached

- "haveibeenpwned" also allows mail server owners to get access to reports for all addresses on a domain and receive notifications on breaches

- much easier to remember and communicate with others as compared to iCloud hide my e-mail addresses

- on the outgoing/sending, re-writing the "from" address field in e-mails is very easy to do

If you use this approach, once 10 of your aliases are in the HIBP database you will need to pay for a subscription to see breaches for your domain (and even then the $40/year tier is only good for 25 aliases).

I wish HIBP had a solution for those of us who are individuals but use a domain catchall to manage online accounts.

Yes it really does suck - apparently I've been breached numerous times but I can't see details without paying.

I used to have a primary email address as well (which occurs in several HIBP breaches). I never gave it up, I still have it to this day for sending personal mail. However, I started using service-specific email addresses (e.g. hackernews@example.org) at some point, gradually transitioning every account I registered somewhere to this new scheme. They all end up in the same inbox, together with the emails from the original address. If one of them ends up in a breach, I block delivery to that service-specific address and add a new one.

I do too. Though it does get awkward when dealing with a human related to that site. E.g. a small time hotel phoning about a booking or a local events organiser, they all seem weirded out that I have their name in my email address... :) I often rely on Fastmail's email masking these days instead, which at least reduces that human interaction awkwardness.

It's more than just the email. If you're in the breach, it might now publicly tie your email to things like your real name. You also have to worry if you reuse passwords (which you shouldn't do even if you haven't been in a breach), because now the password in the breach is known to be used with that email address, and attackers will pivot to other services to try those same credentials elsewhere.

They change their passwords...