HaveIBeenPwned is the best free starting point for checking your breach exposure but it is not a complete picture. It covers known public breaches that have been shared with the service. It does not cover private breach sales, stealer log databases, or breaches that have not yet been disclosed publicly.
Analysis Briefing
- Topic: Breach exposure auditing beyond HaveIBeenPwned
- Analyst: Mike D (@MrComputerScience)
- Context: Born from an exchange with Claude that refused to stay shallow
- Source: Pithy Cyborg
- Key Question: If HIBP shows no breaches, does that mean your credentials are safe?
What HaveIBeenPwned Actually Covers and What It Misses
HaveIBeenPwned maintains a database of email addresses and passwords from known public data breaches. When a major breach like LinkedIn 2012 or Adobe 2013 is disclosed and the data circulates publicly, Troy Hunt’s team processes it and adds it to the searchable database.
What this covers well: large, publicly disclosed breaches from major platforms that generated significant news coverage. If your email appeared in any of these, HIBP will tell you.
What it misses: breaches sold privately on criminal marketplaces without public disclosure. Stealer log databases assembled from malware infections rather than company breaches. Fresh credentials stolen in the last 30 to 90 days before the breach circulates widely enough to be collected. Breaches from smaller organizations that never generated public attention.
The absence of your email in HIBP is not confirmation that your credentials are safe. It is confirmation that your credentials have not appeared in the specific breaches HIBP has indexed.
What Stealer Logs Are and Why They Are Different From Breach Databases
A stealer log is a collection of credentials harvested by information-stealing malware running on infected devices. Unlike breach databases that come from a company’s compromised servers, stealer logs come directly from victims’ devices.
Stealer malware captures credentials as they are typed or from browser password stores. It captures session cookies that allow account access without knowing the password. It captures autofill data, cryptocurrency wallet information, and any other valuable data accessible on the device.
Stealer logs are sold and shared in criminal marketplaces continuously. They contain fresh, often still-valid credentials because the data comes directly from active devices rather than from historical breach dumps. HIBP does not index stealer logs in the same way it indexes breach databases.
| Feature | Data Breach (HIBP Model) | Stealer Log (Malware Model) |
| Source | Company Servers (e.g., LinkedIn) | Your Personal Device (PC/Phone) |
| Contents | User DB (Email, Hash) | Passwords, Cookies, Autofill, Wallets |
| Freshness | Often years old | Usually < 90 days old |
| MFA Impact | MFA usually blocks access | MFA bypassed via session cookies |
| Remedy | Change Password | Wipe Device + Revoke All Sessions |
How to Do a More Complete Breach Exposure Audit
Check HIBP for your email addresses as a baseline. Enable HIBP’s notification feature so you are alerted when new breaches are added that include your email.
Use your password manager’s built-in breach monitoring. Most major password managers including 1Password, Bitwarden, and Dashlane cross-reference your stored credentials against breach databases and alert you to compromised entries. This covers the credential level rather than just the email level.
Check whether your business email domain appears in breach databases using HIBP’s domain search feature. This surfaces breaches affecting any email address at your domain, not just the specific addresses you check manually.
For higher-risk individuals or businesses, services like SpyCloud and Flare specifically monitor criminal marketplaces and stealer log databases for your email addresses and domains. These services surface exposure that HIBP does not cover.
The HIBP Feature Most People Have Never Used
HaveIBeenPwned has a second tool that most users do not know exists: Pwned Passwords at haveibeenpwned.com/passwords. This tool checks whether a specific password appears in breach data, without requiring an email address.
You can type any password into the tool and it tells you how many times that exact password has appeared across known breach datasets. A password that appears zero times has never been seen in a breach. A password that appears thousands of times is so common it should be treated as compromised regardless of whether your specific account was breached.
The tool uses a k-anonymity model: your full password is never sent to the server. Only the first five characters of a SHA-1 hash are transmitted, and the tool returns all matching hash suffixes for you to check locally. The architecture means HIBP never sees your actual password.
Run your most important passwords through Pwned Passwords now. Any result above zero should be considered compromised.
The Session Cookie Problem Nobody Talks About
Stealer malware captures session cookies alongside passwords. A session cookie allows an attacker to authenticate to a web service as you without knowing your password and without triggering MFA, because the session is already authenticated.
If your device was infected with an infostealer, changing your password does not invalidate the session cookie the malware captured. You need to explicitly revoke active sessions in your account security settings in addition to changing your password.
Most major platforms, including Google, Microsoft, and Facebook, have a “sign out of all devices” or “revoke all sessions” option in account security settings. Using this after a suspected compromise invalidates any captured session cookies.
Technical Nuance ➞ The Token Trap ➞ Changing a password is a “front door” fix. A session cookie is a “back door” pass that says the person holding it has already walked through the front door. Until you revoke all sessions, the attacker is still “inside” your account, even if you’ve updated your password to something 20 characters long.
What This Means For You
- Check HaveIBeenPwned now for all email addresses you use and enable notification alerts for future breaches.
- Enable breach monitoring in your password manager to get credential-level alerts rather than just email-level alerts.
- Revoke all active sessions using your account’s “sign out all devices” option if you suspect a device compromise.
- Audit for password reuse. If HIBP shows a hit, assume that specific password is “burned” across every site where you’ve used it.
- Consider a specialized dark web monitoring service like SpyCloud if you are managing business domains or high-value assets.
The Password Reuse Audit That Should Follow Every HIBP Hit
Finding that your email appeared in a breach is step one. Step two is the audit that most people skip: identifying every other account that used the same password as the breached one.
If you used the same password at the breached service that you use at your email, your bank, your payroll platform, or any other account, every one of those accounts is now compromised regardless of whether those services were breached.
Open your password manager and search for the breached service. Note the password it stored. Search your entire password vault for any other account that uses the same password. Change every one of them to a unique password immediately.
If you do not use a password manager and cannot reconstruct which other accounts used the same password, the conservative approach is to change the password on every account that matters: email, financial accounts, social media, and anything with payment information on file. This is the cost of not having used unique passwords. The time it takes is the argument for a password manager going forward.
Enjoyed this deep dive? Join my inner circle:
- Pithy Cyborg → AI news made simple without hype.