> Does it feel like this site is itself a vulnerability? It seems like being able to go type in anybody's email address and just get a list of sites where it was found would be part of an OSINT process.
I think it is a reasonable trade-off. For non-technical people (i.e. ~everyone) it provides a really useful service where you can see if your data has been leaked and what passwords to reset. For bad guys it makes their lives a little easier by creating a quick lookup and potentially knowledge about some leaks they weren't aware of, but ultimately there'd be a dark web version if HIBP didn't exist.
I think there's also a lot of PR value in a site like HIBP. If a non-technical person sees a headline like "400 million customer records leaked by Big Corp" it feels pretty abstract, but if you go and type your email address into HIBP and see a list of companies who have leaked your email address (and most likely some other data) it feels more personal.
I think it is a reasonable trade-off. For non-technical people (i.e. ~everyone) it provides a really useful service where you can see if your data has been leaked and what passwords to reset. For bad guys it makes their lives a little easier by creating a quick lookup and potentially knowledge about some leaks they weren't aware of, but ultimately there'd be a dark web version if HIBP didn't exist.
I think there's also a lot of PR value in a site like HIBP. If a non-technical person sees a headline like "400 million customer records leaked by Big Corp" it feels pretty abstract, but if you go and type your email address into HIBP and see a list of companies who have leaked your email address (and most likely some other data) it feels more personal.