Two Billion Email Addresses Were Exposed
Postedabout 2 months agoActiveabout 2 months ago
troyhunt.comTechstoryHigh profile
calmmixed
Debate
70/100
Data BreachesPassword ManagementEmail Security
Key topics
Data Breaches
Password Management
Email Security
A massive dataset of 2 billion email addresses was exposed, sparking discussions on password management, email security, and the utility of services like Have I Been Pwned.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
10m
Peak period
151
Day 1
Avg / period
32
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Nov 6, 2025 at 3:20 PM EST
about 2 months ago
Step 01 - 02First comment
Nov 6, 2025 at 3:30 PM EST
10m after posting
Step 02 - 03Peak activity
151 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 17, 2025 at 3:09 AM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45839901Type: storyLast synced: 11/22/2025, 11:47:55 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
They're hard to explain to users, the implementations want to lock people to specific devices and phones, you can't tell someone a passkey nor type it in easily over a serial link or between two devices which don't have electronic connectivity.
It's a shame, IMO, that the Basic Auth never got updated or superceded by something with a better UX and with modern security.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.
Email addresses are not secrets under any stretch of the meaning of that word.
For ID fraud, more than an email address has to be leaked.
I might not get an email if someone gets that account info.
In practice, anything that high-profile will be plastered all over every tech news site, twitter, reddit, probably even the news. It would be difficult for MasterCard/Visa to have dataleaks, even just email/pass, fly under the radar (I imagine...)
Oracle tried to cover up a data leak, and it didn't go great. Oracle touches nowhere near as many every-day people as MasterCard does
Edit: When I try to do a domain search I get told:
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists).
My domain has 11 breached addresses.
But I think you are right, because I only have 3 breached addresses under my domain (I do see the 10 addresses wording under subscriptions)
I understand, but it's frustrating.
Log into dashboard, under business there is a domains tab. Enter your domain there and verify ownership. Didn’t ask for payment.
Harvesting potential targets is one part of it i.e. establishing someone was using an email address is the entry point. There's a lot of emails, so associating them to any particular website is right near the start. Establishing that they're active increases their value further.
The people responding to Troy here for example are technically doing that: they clearly monitor the email or still use it, so addresses which respond to up in value.
The parent can log in because they have a map of site<->password. But without either the site or the password, the notification that an email address is compromised is useless.
So cost was always part of this strategy
I meant that you are already paying for those, so being charged by providers to support our hacky email addresses is not a novelty introduced by Troy's service
In a way if I reply, the other party gets upgraded to one of my 5 addresses, so if they send an email to ContosoCoffeeShop@myname.com I might reply from whatever flavour I'm using nowadays or is more appropriate like hello@myname.com
It's like a 3 layer security system, the least privileged get access to one very specific address, if they send me an email which makes sense and I reply, they get upgraded to a bucket. I might sign up directly with a bucket email and skip the most paranoid layer, that's fine.
In general I try to take more care of the newest alias and become more liberal with my older more ruined addresses, alias1@ has like 8 years of signups, while alias5@ has just 1 if any. And I'm sure the list will grow.
Downside is that if there's a leak it's harder to attribute exactly, but at least I can check the recipient to get some kind of hint.
It's more like art than it is a water-tight security protocol. You paint the world with your wacky addresses and occasionally surprise the observant employee with the inverted expectations (usually the name comes before the at)
Thank you for coming to my ted talk.
If I ever have to give a generated address out to an actual person, then I'll let them know replies will come from a different address. So far I'd guess 99.999% of the emails I received are transactional emails and/or sent from noreply@...
Far more annoying are a few websites I use that only support magic links for login--my password manager doesn't auto fill them, and some of them I now have a number of accounts at due to inconsistent spelling/formatting.
[1]: https://www.troyhunt.com/welcome-to-the-new-have-i-been-pwne...
I guess what I want to say is beware that even something as innocuous as an email being leaked can cause problems, and make sure you delete any unused addresses from your accounts!
* blackmail the account owner
* make up an illness, create a donation page and get all their friends to donate
* find all connections over a certain age and disguise a phishing vector as literally anything!
* so many more
Just having a family, kids, bills, schools, jobs, credit cards, banks, investments, insurance, shopping etc etc - the number of accounts many of us pick up can easily get into the hundreds.
If either ever stop period, especially one day to the next, FML...
It's not just email addresses. It's address + password combos.
But also, how did 2 billion email addresses get exposed? Assuming I give an email address to a company (and only that company) if someone gets access to that email addresss they either got it from me or that company. Knowing the company has sold, lost, or poorly protected my email address tells me they are maybe not worth working with in the future.
The list contains emails which have been part of some other breaches. In my domain I have 2 emails that were exposed that weren't my normal email address. One of them was a typo that I used sign up for one service which was later breached. The other one was something someone used to register to service that I have never used & that service was later breached. Those emails have never been used for anything else as far as I'm aware.
Of course judging from what posted there are likely some other services as well which were breached but wasn't noticed/published until now.
If the attacker steals the entire password table undetected, they have a large amount of time to generate soft collisions. After all they don’t need to hack any particular account, just some 50% of the accounts.
The time can be increased by some coefficient via salting, but the principles remain the same.
It's becoming less and even languages with a "strong legacy body" like PHP have sane defaults nowadays, but I do see them around when I do consultancy or security reports.
"Never fix something that aint broken" also means that after several years or a decade or more, your "back then best security practices" are now rediculously outdated and insecure. That Drupal setup from 2011 at apiv1docs.example.com could very well have unsalted hashes now. The PoC KPI dashboard that long gone freelancer built in flask 8 years ago? probably unsalted hashes. And so on.
In some cases the email address combined with the name of that site that leaked it can be enough to get people in trouble. E.g. "niche" dating sites.
For those of us who don't want to entrust this to Apple and who'd like to use our own domain?
That being said, this is a good list:
https://www.reddit.com/r/privacy/comments/108wzvg/what_is_th...
Not sure I trust the longevity of some of them, though. I do use https://temp-mail.org/en/ or other similar services for some logins for some services I'm not afraid to lose access to, though (especially for places likely to spam me).
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.
Telephone number? There used to be phone books. And I still instinctively think they should be public.
What they do have is a searchable password list not connected to any usernames.
I used to think the same. Around here I feel until a few years ago most people I knew with secret phones were people I would prefer to have fewer interactions with: people who frequently got into trouble, tried to scam others etc.
These days I’m more in the camp of layered security. Whatever I can do to make it harder for an attacker, the better.
> I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works.
Tangential:
Sorry, you have been blocked You are unable to access fastpeoplesearch.com
(Safari on a stock iPhone, mobile broadband from the biggest and most well known telecom company in my country, ipv6 address.)
"Forget Hackers! Phone Company Delivers Your Private Info—Including Your Home Address—Directly to Strangers!"
I got a confirmation mail from System76, because apparently they feel the need to validate my credit card can’t be used without my approval, but my back does this by default…
Most banks in America indeed do offer (for free) the option to be notified for each transactions if you want.
One's employment history is not a factor in the score at all (contrast this with Europe).
Furthermore, privacy in the USA is so bad, the leaking of one's personal details which criminals can use to fraudulently obtain credit and ruin said score and possibly also one's finances is a major concern. Hence, "credit monitoring" exists in order to catch this kind of criminal activity in the act, and I don't know, become completely exasperated with the amount of ass pain that dealing with this then causes.
https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
edit: the relevant text is below
> The data breach compromised highly sensitive 127-page Standard Form 86 (SF 86) (Questionnaire for National Security Positions).[8][18] SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. Initially, OPM stated that family members' names were not compromised,[18] but the OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."
They even got my kids social security numbers.
Best when paid for so you can do 2FA with TOTP codes!
1. On firefox first start-up is slow after unlocking to actually find a password for a site. The interface says, "No logins for xyz.com" for maybe 5 seconds before the login loads.
2. Along those lines when I open it first thing in FF the box for its password isn't focused and I have to click it.
3. The keyboard combo to open it also only works in Chrome.
4. To add a new login I have to go to the site. I haven't figured out how to do it from within the plugin.
5. We get alerts at least once a week about service disruptions but they don't seem to actually affect me.
6. I like Bitwarden's command line tool but I bet 1Password has something at least as good that I haven't found yet.
My bank (I mean, they use SMS, but pretend they use TOTP) just care about not having to spend money on support because I used "password1!" as my password for every account and lose all my money.
I just want to log in to my bank.
If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor, I'm just enabling TOTP so that I don't have to copy/paste codes from my email or phone.
I'm not comfortable with my entire online identity being protected by a single line of defence which is a company that I'm paying a few dollars a month to. Not having to type 6 digits off a phone is a pretty minor convenience for me.
Proton also has a separate 2fa totp app.
Server-side (assuming weak password storage or weak in-transit encryption) or phishing (more advanced phishers may get the codes too but only single instance of the code, not the base key).
> What is stopping webmasters from using 100FA?
The users would hunt them down and beat them mercilessly?
At that point, frankly, I am gaining nearly nothing from external TOTP for most services. If you have access to my Vault, and were able to fill my password from it, I am already so far beyond pwned that it’s not even worth thinking about. My primary goal is now to get the website to stop moaning at me about how badly I need to configure TOTP (and maybe won’t let me use the service until I do). If it’s truly so critical I MUST have another level of auth after my Vault, it needs to be a physical security key anyway.
I was begging every site ever to let me use TOTP a decade ago, and it was still rare. Oh the irony that I now mostly want sites to stop bugging me for multiple factors again.
I get amazing convince with this setup, and it’s still technically two factor. To get into my Bitwarden account you need to know both my Bitwarden password and have my yubikey. If you can get into my Bitwarden, then I am owned. But for most of us who are not say, being specifically targeted by state agents, this setup provides good protection with very good user experience.
The individual plan is $10 a year. I've been a happy user for many years. I converted the last business I was at to exclusively using Bitwarden for Business as well.
[1] https://github.com/bitwarden/
[2] https://bitwarden.com/help/is-bitwarden-audited/
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
The Bitwarden client will sometimes log you out if something happens on the server side, which has the potential to make worst case recovery from annoying to impossible. The circular dependency of having my cloud backup password in the vault made me nervous.
Yes, you can back your vault up, but it's a manual step and likely to be forgotten.
I still recommend Bitwarden for password management for any "laypeople" since it will just work. Also worth noting that the basic functionality is free.
(go-)pass automatically does a push/pull due to several operations which keeps the password store in sync and Syncthing does its thing with the bare repos.
This has reduced my maintenance burden on my spouse's devices down to practically zero. The worst case to fix things is I need to `git pull --rebase` in the bare repo. The pass repo format uses individual encrypted files for each password entry (for better or worse) so I have yet to run into a conflict in the same entry.
Why not just push/pull git branches normally? I had previously been doing that but if you want devices to sync that may not always be online, then you must involve an always online git server (which isn't a great idea due to one of pass's weaknesses).
I suppose I can avoid the issue with some discipline.
I've switched to KeePassium. Not quite as polished UX, but works for me
SyncTrain has been working well, but all the knobs in the advanced folder settings definitely reminds me that I would never recommend it over Dropbox/iCloud/etc to almost anyone, heh.
But as long as I don't run into frequent problems, I like the idea of p2p device syncing over LAN. The phone in my pocket ends up passing around the latest copy since my other devices are almost never on at the same time. It's kinda cute.
In the almost 10 years I've been running this setup, I think I hit a conflict one single time. I don't quite remember the details, but I think I accidentally edited something in the mobile app, and before saving, edited something else in the desktop app or vice-versa. So it was pretty much my fault.
Other than that, literally never had an issue. Password managers are by their nature mostly reads, and very occasional writes, so it's very hard to put yourself in a situation where conflicts happen, even if you don't pay attention to it. I've made an identical setup for my (fairly savvy but non-technical) fiancee, and she's never hit an issue either. I had to insist a bit for her to get on board, but years later she actually loves using KeePass. She's thanked me multiple times for how convenient it is not having to remember passwords anymore!
1password works in all the places, it's just not open source.
288 more comments available on Hacker News