The downside to having many vanity urls and giving out a unique email address to each website you visit is that you cannot use haveibeenpwned without paying (despite being a single human). I have no idea how many email addresses I've given out over the years, probably hundreds across at least 6 or 7 domains, and they want to charge me a monthly fee to see which of those have been pwned.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.
The domain search feature on haveibeenpwned is/was free. I registered my domain on haveibeenpwned back in 2017 and I got two emails about breaches, one in 2020 and another in 2022. I did not pay.
It tells you that an address in your domain has been included in a breach. It doesn't tell you which address was included. That's what the OP and I are opining about.
It does. I just checked mine today. I can see exactly which individual email addresses in my domain where exposed and in which data leak. I have never paid for it.
Interesting. I'd love to see where you're seeing that. I'll go poke at the site a little more.
Edit: When I try to do a domain search I get told:
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists).
Yep, if you have the good fortune of having many breaches while using companname@example.org, the service requires that either you pay up or you have to guess and check.
Have I been pwned will tell me if the associated password for that site leaked. I create unique passwords per site, but lets say my mastercard login gets pwned -- that'd be one I want to change the password for right away.
I might not get an email if someone gets that account info.
In practice, anything that high-profile will be plastered all over every tech news site, twitter, reddit, probably even the news. It would be difficult for MasterCard/Visa to have dataleaks, even just email/pass, fly under the radar (I imagine...)
Oracle tried to cover up a data leak, and it didn't go great. Oracle touches nowhere near as many every-day people as MasterCard does
I'm in the same boat. I track all of the unique addresses I use (via my password manager) so I guess I could just check them all against HiBP's database. Kind of a pain in the ass, though.
Me too. It used to work for whole domains. Then I guess the limit was added as part of some kind of monetization push. I don't derive enough value to pay for a monthly subscription any time it occurs to me to check, nor figure out how to check addresses one-by-one programatically. So the site is basically dead to me now. It's a shame because there were a few breached lists where people were speculating on where exactly they came from, and I was able to add to the discussion based on which of my tagged addresses were in the list.
I've had that experience re: my personalized addresses being used to more closely identify the source and time of a breach. When I start getting spam to one of my personalized addresses I'll usually reach out to the party for whom the address was created to let them know. Usually I get treated like a crank but occasionally I get somebody who understands and appreciates the help.
I use Bitwarden with a Vaultwarden server so I have some familiarity. Bitwarden checks new passwords against HiBP. I'm not aware of functionality where it can retroactively check old email addresses or passwords to see if they're included in a breach.
Ahh, okay. I assume that's a part of the Bitwarden offering, presumably happening server-side. I'm just using their official client w/ a Vaultwarden server.
It's not the email address itself that I care about, and that's not the service that the site provides. It tells you for which email addresses a related password has been pwned.
I don't understand... The password is the secret, right? If your mastercard login ends up in some breach, your password is protecting. You without or without vanish urls, if you have strong passwords you'll be fine.
Harvesting potential targets is one part of it i.e. establishing someone was using an email address is the entry point. There's a lot of emails, so associating them to any particular website is right near the start. Establishing that they're active increases their value further.
The people responding to Troy here for example are technically doing that: they clearly monitor the email or still use it, so addresses which respond to up in value.
The problem with catch-all inbox is when you have to reply to an email. Then you have to create the email address to be able to send emails from it. Or are there other solutions?
There's no solution to a non-problem. Precisely 3 of the hundreds of the generated email addresses I've given out over the past ~12 years have needed replies. When this happens, I simply reply from an address that actually does exist, while CCing the original generated address and setting it as the reply-to address.
If I ever have to give a generated address out to an actual person, then I'll let them know replies will come from a different address. So far I'd guess 99.999% of the emails I received are transactional emails and/or sent from noreply@...
Far more annoying are a few websites I use that only support magic links for login--my password manager doesn't auto fill them, and some of them I now have a number of accounts at due to inconsistent spelling/formatting.
True, I simplify it a bit based on the capacity of my mail provider. I have like 4 or 5 generic addresses that I give out and use for sending. Sometimes I mix up when sending, but my mail provider (zoho) is pretty decent at keeping track of the addresses anyways.
In a way if I reply, the other party gets upgraded to one of my 5 addresses, so if they send an email to ContosoCoffeeShop@myname.com I might reply from whatever flavour I'm using nowadays or is more appropriate like hello@myname.com
It's like a 3 layer security system, the least privileged get access to one very specific address, if they send me an email which makes sense and I reply, they get upgraded to a bucket. I might sign up directly with a bucket email and skip the most paranoid layer, that's fine.
In general I try to take more care of the newest alias and become more liberal with my older more ruined addresses, alias1@ has like 8 years of signups, while alias5@ has just 1 if any. And I'm sure the list will grow.
Downside is that if there's a leak it's harder to attribute exactly, but at least I can check the recipient to get some kind of hint.
It's more like art than it is a water-tight security protocol. You paint the world with your wacky addresses and occasionally surprise the observant employee with the inverted expectations (usually the name comes before the at)
I have those things? Did you miss the part where I have multiple vanity URLs and hundreds of email addresses? Of course I have a paid mail provider and catch all. The problem is the cost of haveibeenpwned is too much for me as an individual.
I meant that you are already paying for those, so being charged by providers to support our hacky email addresses is not a novelty introduced by Troy's service
I have the more typical one email used with hundreds of passwords on many websites. haveibeenpwned is also useless for me, it will tell me that my email was compromised but not which sites or passwords. I guess I could check each password individually, hope each password is globally unique to me, and then try to match it back to the website where I used it so I can change the password.
Reread the parent post more closely. It does not tell them: A) which site nor B) which password.
The parent can log in because they have a map of site<->password. But without either the site or the password, the notification that an email address is compromised is useless.
I understand they gotta make a buck, but I find it interesting this is the first real negative to running a unique email address per company/site I work with.