I've seen this recommendation so many times but have always wondered what's to stop haveibeenpwned from collecting emails themselves.
Am I overthinking this?
You're not wrong. I think they do show leaks without needing to input your info. I mean, they already have your email. The thing they don't have is whether or not the email is someone that cares about if they've gotten their email leaked, if that makes sense. And maybe tie it to an IP address too.
reply
Yeah, it does make sense, thanks!
I've since read their privacy policy and it seems they do address my concern in there. (See my reply to @nullama)
reply
Fair enough.
It's a legit website from a legit security researcher, but yeah, you would have to trust it somehow....
Keep in mind that most people give away far more personal information on a daily basis than just a single email anyway.
reply
Well, at least their privacy policy includes this assurance:
We do not collect or store your personal information when you conduct a search in the HIBP database. Searching for an email address or phone number only ever retrieves the data from storage then returns it in the response. The data from the search is not explicitly stored anywhere.
You still have to trust them, though...
reply
Good find, yeah they can only do so much.
reply