What they're not telling you: # HAVEIBEENPWNED'S UNGUARDED DOOR: HOW A "PRIVACY TOOL" BECAME A DOXING PLATFORM The most useful privacy database in the world has no authentication layer, which means anyone with an internet connection can enumerate the intimate digital histories of millions without their knowledge or consent. The mechanics are straightforward enough. Troy Hunt, an Australian security researcher, created Have I Been Pwned (HIBP) in 2013 as a public service—a searchable repository of data from major breaches, designed to alert individuals when their credentials appeared in stolen databases.

Diana Reeves
The Take
Diana Reeves · Corporate Watchdog & Markets

# THE TAKE: Why "Have I Been Pwned" Is Corporate Surveillance Cosplay Here's what actually happened: you gave Troy Hunt—a security researcher with *zero* institutional oversight—permission to scrape your email against a database built on leaked credentials from porn sites, dating apps, and sex work platforms. Then you scrolled through your coworker's exposure to NSFW breaches together. Intimacy theater masquerading as protection. The paradox? HIBP sells the *illusion* of control while normalizing data commodification. Hunt's database is metadata gold: it tells us *which* breaches matter, *whose* data moves markets, *which* platforms attract what demographics. Microsoft acquired his parent company. Your privacy "check" became corporate intelligence. The real pwned thing here isn't your password. It's your assumption that transparency equals safety. It doesn't. It's just more visible extraction.

What the Documents Show

The stated mission was transparency: let people know when their breach-but-i-deleted-my-account-in-2024.html" title="Telus says I’m affected by a data breach… but I deleted my account in 2024?" style="color:#1a1a1a;text-decoration:underline;text-decoration-style:dotted;font-weight:500;">information had been compromised so they could change passwords and monitor accounts. By 2024, HIBP had indexed over 13 billion compromised records from hundreds of breaches. It became the canonical source, referenced by journalists, security professionals, and casual users alike. But here's what the mainstream tech narrative obscures: HIBP created something structurally identical to a public directory of personal associations with adult websites. The platform does not require users to verify they own an email address before viewing breach results.

🔎 Mainstream angle: The corporate press either ignored this story entirely or buried it in a 3-sentence brief. The framing, when it appeared at all, focused on process rather than impact.

Follow the Money

This means I can search your email address, your spouse's email, your employee's email—anyone's—and see not just that they were breached, but which breaches, and critically, *which sites*. When those sites are pornography platforms, dating services, or other intimate databases, the function becomes different. The tool becomes a searchable ledger of someone's private life, visible to anyone with a browser. The Reddit post captures what HIBP's architects seem not to have anticipated, or chose not to address: a user and coworker searched casually and discovered what amounted to a timestamped record of exposure across "NSFW sites." No verification required. No notification sent to the person being searched. The breach data itself is public—the exposed records came from crimes committed by hackers—but the interface Hunt built democratizes access to that data in a way that transforms it from "information security resource" into "open doxing tool." Hunt has monetized HIBP through a subscription tier called Pwned Passwords, where corporations pay to check credentials against the database.

What Else We Know

According to publicly available information, Hunt also sells API access to companies building authentication systems. The free tier—the one allowing unrestricted searches—generates legitimacy for the paid tiers. No one calculates the externalities: the girlfriend who discovers her partner's breach history across adult platforms, the employee whose boss casually searches to learn about their online exposures, the targets of harassment who can now have their breaches weaponized in real time. The regulatory response has been silence. The FTC has not scrutinized whether HIBP's design violates privacy principles it claims to enforce. The EU's GDPR, theoretically stringent on data protection, has not challenged the platform's use of breach data in ways that expose individuals without consent.

Primary Sources

What are they not saying? Who benefits from this story staying buried? Follow the regulatory filings, the court dockets, and the FOIA releases. The truth is in the paperwork — it always is.

Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.