Have I Been Pwned 2.0

Original Article ↗ Hacker News Discussion ↗

Design, Aesthetics & Trust

  • Many note the new dark, gradient-heavy style as part of a wider “Linear/Stripe/Tailwind” design trend; some call it slick, others “unreadable” if it ignores system dark/light preferences.
  • Several users say the redesign feels less trustworthy, like a generic template or “cheap gradients,” making them briefly wonder if they’re on a phishing clone.
  • Complaints about excessive vertical scrolling, “doomscroll” vibe, and poor performance (especially on phones/older GPUs). Multiple suggestions to compress card spacing and typography.

Timeline Ordering & Bugs

  • Multiple reports that breach timelines are out of chronological order; users speculate it’s mixing “breach date” and “disclosure/published date.”
  • Some users see breaches from companies they don’t recognize or even from before a domain was registered, raising questions about accuracy and misattributed or typo’d emails.
  • Various minor issues: 401 errors in console, search box not working or disappearing, back button losing results, pastebin entries not clickable for some users.

Security, Powerlessness & Practical Defenses

  • The scrolling breach history is described as “delightfully horrifying” and can make people feel powerless; others respond that tools like this are to prompt action, not fatalism.
  • Recommended mitigations: unique passwords, password managers, MFA, minimizing shared PII, using fake DOBs where legal, virtual/one-use card numbers, and email aliases or catch-all domains.
  • Some push back that even perfect password hygiene doesn’t protect leaked physical addresses or other PII.

Password Storage, Logging & Protocols

  • Shock that major sites still had unsalted/weakly-hashed passwords; explanations center on tech debt, legacy systems, sloppy logging that captures plaintext passwords, and weak internal security culture.
  • Discussion of better architectures: encrypting password fields with per-session public keys, SRP/PAKE-style protocols, and automated “canary” accounts plus secret-scanning to detect leaks.
  • Disagreement over how much large companies can reasonably be expected to do vs. organizational dysfunction and middle-management incentives.

Legal, Regulatory & Incentive Debates

  • One thread argues HIBP should partner with class-action firms and payouts, or fines, should hurt enough that breaches stop being “cost of doing business.”
  • Others warn that heavy automatic litigation could discourage disclosure and push companies back to “deny, deny, deny.”
  • Contrast between US class actions (small payouts, questionable deterrence) and EU-style large regulatory fines; debate over fines as revenue streams and their perverse incentives.

HIBP Features, Trade-offs & OSINT Concerns

  • Domain search and catch-all setups: individuals with many aliases feel squeezed by the paid domain tiers; some pay briefly to pull a report, others want a cheaper “single-person domain” tier.
  • Opt-out options are discussed in detail (hide from public search, delete breach list, or delete entirely), with a side concern about what happens if the opt-out list itself is breached (noted that emails are stored hashed).
  • Removal of phone/username search from the UI is lamented, especially where lawsuits used it to identify affected Facebook users; the API still supports it.
  • Several users explicitly say HIBP is valuable for OSINT: attackers and researchers can quickly learn which breach dumps to look up for a target. Others argue bad actors already have the dumps, and the net benefit to regular users outweighs this.
  • Some users are uncomfortable that anyone can see which dubious sites appear alongside their email; opt-out is suggested as mitigation.

Password Managers & Sponsorship

  • Many view funneling mainstream users from HIBP to a password manager as a major net positive.
  • Debate over 1Password sponsorship vs. recommending free/open-source options (e.g., Bitwarden, self-hosting). Points raised: cost, open source vs proprietary, E2EE architectures, and trust after past password-manager breaches.

Access Controls & Captchas

  • Cloudflare/Turnstile and similar bot defenses are criticized for increasingly locking out a “single-digit percentage” of real users, especially with privacy tools or certain IP ranges.
  • Some report being blocked or heavily captcha’d by other services (e.g., search engines, Slack) and see this as a growing barrier to full participation online.