Is Have I Been Pwned? A Security Risk?

Question

I saw the lastest Genesis news and visited Have I been Pwned to check. Getting curious, I started putting in the email addresses of friends. It was interesting to see what my friends were signed up to, and some of the services they used.A bit of open source intelligence.

leafstrat · Accepted Answer

Interesting, never thought about doing that. There is certainly potential for abuse if not verifying ownership of the account being looked up. Browsing their releases here; https://haveibeenpwned.com/PwnedWebsites
There are two pornography websites, YouPorn and xHamster. Worse than that, Fridae, Fur Affinity, and Fling which could be classified as fetish focused.
>In May 2016, the Fur Affinity website for people with an interest in anthropomorphic animal characters (also known as "furries") was hacked.
>In May 2014, over 25,000 user accounts were breached from the Asian lesbian, gay, bisexual and transgender website known as "Fridae".
>In 2011, the self-proclaimed "World's Best Adult Social Network" website known as Fling was hacked and more than 40 million accounts obtained by the attacker.
Gambling websites, hacking websites, and a few gun ones. Three hobbies that people may like to keep private, and might influence hiring decisions.

kosasbest · Answer

The web has always been a great OSINT tool. Nothing really new. You can just Google your legal name and see some shitty teenage account you setup decades ago lingering around.