Two billion email addresses were exposed

Original Article ↗ Hacker News Discussion ↗

Password logins, passkeys, and missing standards

  • Commenters lament that despite endless breaches, there’s still no standard way for password managers to auto‑rotate passwords across sites.
  • Some argue that if such a standard existed, it would be easier to just move fully to passkeys; others note passkeys are opaque, hard to explain, device‑tied, and not backwards‑compatible.
  • Frustration that HTTP auth never evolved into a modern, user‑friendly, secure standard; passkeys partly solve things but don’t help with legacy logins.

Email aliases, vanity domains, and HIBP friction

  • Many use per‑site/vanity addresses and catch‑all domains to track leaks and spam origination.
  • A recurring complaint: domain search in the service becomes paid once you cross ~10 breached addresses, making it expensive for heavy‑alias users to see which addresses were hit.
  • Some see value in per‑site addresses for attribution and spam control; others note practical annoyances (replying from aliases, services rejecting “+” emails, vendor lock‑in with Apple’s “Hide My Email”).

How bad is an exposed email address?

  • Some see email as essentially public (like an IP or phone number) and think the real risk is passwords and other PII.
  • Others stress that email is the key identifier tying you into breaches: once combined with weak/reused passwords or “stealer logs,” it enables account takeover, targeted phishing, impersonation and scams.
  • Stories are shared of old domains lapsing and being re‑registered to hijack accounts, and of credential stuffing against high‑value accounts.

Mitigation habits and breach fatigue

  • Many report using unique per‑site passwords via managers (Bitwarden, 1Password, KeePass, Proton Pass, etc.) plus 2FA, sometimes also per‑site email aliases.
  • Several say they now assume all their data is leaked and focus on: strong unique passwords, 2FA, credit freezes, and not sharing real addresses/phone numbers unless legally required.
  • There’s widespread cynicism: repeated breaches, minimal corporate or regulatory consequences, and “too many accounts” make people numb to new leak headlines.

Critiques and defenses of Have I Been Pwned

  • Positive: the service drives awareness, underpins password‑checking features in managers, and exposes the scale of credential‑stuffing datasets.
  • Negative:
    • Aggregate dumps like this one don’t reveal which site or password was compromised, leaving users with “you’re at risk” but no clear action beyond generic hygiene.
    • Domain search/paywall behavior around high‑volume aliases feels like upselling to some.
  • Defenders note the service intentionally doesn’t store email–password linkages, only separate email and password datasets, to avoid becoming a prime target; users are expected to bulk‑check passwords via password‑manager integrations or the password API.

Scale and infrastructure discussion

  • Some question the choice of Azure SQL Hyperscale and multi‑week processing, suggesting simpler, cheaper designs (sorted binary hash files on object storage).
  • A maintainer responds that most heavy lifting is done by custom CLI tools; SQL was chosen for operational familiarity and backup/restore guarantees, not raw speed, and future large imports should be faster with new tooling.