They should really accept a hash of your email/username to lookup. Then we can an idea of if we've been pwned without giving additional information if we haven't been.

I'm not sure how that would help. They would have to generate a matching hash on their end, giving them a lookup table to work backwards from hash to email address.

Now if they wanted to supply a list of hashes to the public, then you could check your own without knowing any of the other addresses used to generate the remaining hashes.

Yes, but they would already have your e-mail address anyway. Lookup by hash precludes the case where you're giving them information they didn't already have.

True. I was more referring to it being a confirmation that this is an email address that anyone cares about.

If I wanted to be truly malicious I'd have my online checker return a "Nope, you're all good" and then add that email address to the short list of accounts to go after.

But you're still feeding into the "this is a good working address" and "this is a security newb" email lists.

It only asks for your e-mail address, not your password or any other secret information.

I feel like I will have been pwnd.

Maybe that's the next website to build: willihavebeenpwnd.com and then whenwillibepwnd.com

It's time to break out Dr. Dan Streetmentioner's new Guide to Future Domain Names.

Unless you use different usernames/email addresses for all the websites you sign up for, this website isn't any more or less random than any of the hundreds of websites you've punched your ID into (and of which some, more likely than not, has been compromised).

The fact that your username exists is almost always public information, and all you'd be disclosing. That's why we have passwords.

If you fear your credit card info has been stolen, enter it here and you can find out for free. Avoiding fraud has never been easier!

Not the same thing at all because your e-mail address isn't a security token. e-mail addresses aren't secret; you give them away all the time.

Would you put your credit card info on a business card and give it to people you meet?

>Would you put your credit card info on a business card and give it to people you meet?

Of course not, I just hand it to the minimum wage cashier, say it over the phone whenever I am ordering delivery, and type it into online stores.

But the point is that your email is possibly already out there, circulating around. Would you rather not know?