How do applications such as password managers check leaked credentials and how can I get more results?

Question

I have been using LastPass for a while and I have just seen an option to generate an exposure report. By its output, I assume it checks various sources containing credentials dumps from hacked web applications for matches to my username / e-mail.

The output looks like the following:

{date 1}
somedomain.com

{date 2}
some collection name

{date 3}
Unknown source

I am curious about how such applications work behind the scene. Also, is there a way to find out more about my exposed e-mail in such dumps (i.e. more sources).

I see that haveibeenpwned.com lists many breaches, so I could consume their API to validate against my known hostnames. As a side note, somedomain.com is not listed by Pwned websites.

Question: How do applications such as password managers check leaked credentials and how can I get more results?

Answer 1

Different password managers will do it differently. LastPass does not disclose how their exposure emails are generated, although there was speculation by users that they combed through the leaked dump known as "Collection 1" and just notified everyone who had an account on any of the domains listed.

Firefox has incorporated HIBP in their browser. 1Password is also using that service.

HIBP has become the primary method to check for these things.

The core idea is to get one's hands on breach databases and password dumps and do the correlation. You could comb through hacker sites, Pastebin (or equivalent), news reports, etc. And once you do that, it will already be in HIBP. I am unaware of any other service that does this for you or is as trusted as HIBP.

Having a secret, proprietary service for this makes no sense. The more that people submit breaches and databases to a central service means that more people can be notified. HIBP has become that public service.

I know this sounds like an ad for HIBP, but I have no affiliation with the service. I am truly unaware of any other more reliable or complete way to do what they do.

Google announced a Password Checkup Tool in 2019 that looks like a beta tool for now. As of this writing, they keep a static list of breaches that they check. They do not disclose how it works (likely because they are not finished and they were racing Firefox to include it in a browser). It is supposed to be baked into Chrome, but it's experiencing bugs. It's experimental at the moment (chrome://flags/#password-leak-detection). Time will tell if they, too, end up using HIBP.