Yes, it has to in order to track who to contact should they be caught up in a subsequent data breach. Only the email address, the date they subscribed on and a random token for verification is stored.
HIBP provides a record of which breaches an email address has appeared in regardless of whether the password has consequently been changed or not. The fact the email address was in the breach is an immutable historic fact; it cannot later be changed. If you don’t want any breach to publicly appear against the address, use the opt-out feature.
What email address are notifications sent from?
All emails sent by HIBP come from If you’re expecting an email (for example, the verification email sent when signing up for notifications) and it doesn’t arrive, try white-listing that address. 99.x% of the time email doesn’t arrive in someone’s inbox, it’s due to the destination mail server bouncing it.
How do I know the site isn’t just harvesting searched email addresses?
You don’t, but it’s not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you’re concerned about the intent or security, don’t use it.
Is it possible to “deep link” directly to the search for an account?
Sure, you can construct a link so that the search for a particular account happens automatically when it’s loaded, just pass the name after the “account” path. Here’s an example:
How can I submit a data breach?
If you’ve come across a data breach which you’d like to submit, get in touch with me. Check out what’s currently loaded into HIBP on the pwned websites page first if you’re not sure whether the breach is already in the system.
What is a “sensitive breach”?
HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone’s presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as “sensitive” and may not be publicly searched.
A sensitive data breach can only be searched by the verified owner of the email address being searched for. This is done via the notification system which involves sending a verification email to the address with a unique link. When that link is followed, the owner of the address will see all data breaches and pastes they appear in, including the sensitive ones.
There are presently 44 sensitive breaches in the system including Adult FriendFinder (2015), Adult FriendFinder (2016), Adult-FanFiction.Org, Ashley Madison, Beautiful People, Bestialitysextaboo, Brazzers, Carding Mafia (), CrimeAgency vBulletin Hacks, CTARS, CyberServe, Doxbin, Emotet, Fling, Florida Virtual School, Freedom Hosting II, Fridae, Fur Affinity, Gab and 24 more.
What is a “retired breach”?
After a security incident which results in the disclosure of account data, the breach may be loaded into HIBP where it then sends notifications to impacted subscribers and becomes searchable. In very rare circumstances, that breach may later be permanently remove from HIBP where it is then classed as a “retired breach”.
A retired breach is typically one where the data does not appear in other locations on the web, that is it’s not being traded or redistributed. Deleting it from HIBP provides those impacted with assurance that their data can no longer be found in any remaining locations. For more background, read Have I Been Pwned, opting out, VTech and general privacy things.