INTRODUCTION
HIBP only exists in the first place because of violations of privacy. Our data is leaked, sold, redistributed and abused to our detriment and beyond our control. HIBP was established as a free service in 2013 to help give us visibility as to how our personal data spreads. Whilst we may no longer be able to control it once breached, we can at least understand what's been leaked, where it's been leaked from and what precautionary measures we can now take as a result.
This page details how the privacy of personal data is handled within HIBP and what information is collected when you use the service.
BREACH DATA STORE IN HIBP
When a data breach is loaded into HIBP, the email addresses are stored in the online system. In some cases, phone numbers may be loaded in separately where they exist in an isolated data store not attached to any other personally identifiable information (i.e. not next to corresponding email addresses). No other data of any kind (names, phone numbers, etc) are stored on data load. HIBP also stores a list of data classes that were impacted in each breach. For example, it will state that email addresses and passwords appeared in a breach, but no information about which email addresses had corresponding passwords nor what those passwords are is stored.
When data is loaded into the Pwned Passwords service, only SHA-1 hashes of the password are stored. No identifying data about who the password belonged to is stored. Read more about why passwords are hashed in this fashion.
When you search for an email address or phone number
Searching for an email address or phone number only ever retrieves the data from storage then returns it in the response, the searched data is never explicitly stored anywhere. See the Logging section below for situations in which it may be implicitly stored.
Data breaches flagged as sensitive are not returned in public searches, they can only be viewed by using the notification service and verifying ownership of the email address first. Sensitive breaches are also searchable by domain owners who prove they control the domain using the domain search feature. Read about why non-sensitive breaches are publicly searchable.
WHEN YOU SEARCH FOR DOMAIN
Domain searches allow the exposure of all email addresses on that domain to be returned in a single search. Only someone who controls the domain or the website it's bound to can perform a search via one of the verification processes:
Via email address on the WHOIS record
Via a common security or administrative email address (security@, hostmaster@, postmaster@, webmaster@)
Via a meta tag with a unique code placed on the website
Via a file with a unique code uploaded to the website
Via a txt entry on the DNS record with a unique code
A domain search logs the domain name and requestor's IP address as part of anti-abuse measures. If you ask HIBP to notify you of future appearance of email addresses on that domain and you provide your email address so it can be notified, that email address is also stored. Anti-automation measures are in place to limit attempts to automate searches.
WHEN YOU SEARCH PWNED PASSWORDS
The Pwned Passwords feature searches previous data breaches for the presence of a user-provided password. The password is hashed client-side with the SHA-1 algorithm then only the first 5 characters of the hash are sent to HIBP per the Cloudflare k-anonymity implementation. HIBP never receives the original password nor enough information to discover what the original password was.
HOW HIBP PROTECTS DATA