Why don't services like Have I Been Pwned send email if you haven't signed up?

Question

When a database is breached and my password and email have been leaked I can go onto have I been pwned? and I can see that my password has been leaked. But why wouldn't the service send out an email notifying me of my leaked password WITHOUT signing up for getting notified?

In my experience, a lot of senior people find out that their password management is poor (same password everywhere) after they've been hacked and potentially lost money. Now they could've received an email notifying them of all their hacked passwords and the shock could force them to use a password manager.

I think the main reason this doesn't exist is that there are way too many emails to send. If you sum up a list of leaked services for every user, you'd have to send millions or billions of emails (even if spread out over multiple years) and this would probably get you blocked on every mail service.

What are the other reasons that this service doesn't exist?

Answer 1

First of all, Have I Been Pwned (HIBP) is not an authority, but a free service provided by Troy Hunt. There are actually many similar service providers, e.g. (some alternatives in an alphabetical order):

• Avast Hack Check
• BreachAlarm by Avalanche Technology Group
• DeHashed
• Firefox Monitor
• F-Secure Identity Theft Checker
• Hacked Leaks Checker (Android App)
• Have I Been Sold by Bitfalls

Think what would happen if all of them starts sending you emails every time your address is involved in a breach! On the other hand, detecting a security breach typically takes long and only portion of the stolen data is ever made publicly available; e.g. in HIBP some of the data is added only days after the breach, but sometimes it takes years. There's a good chance some of the email addresses wouldn't even be in use anymore, even if there was a single authority sending that kind of notifications. Some of the addresses could even be faked.

BTW, not sending unsolicited emails to everyone is not the only way Mr. Hunt respects your privacy; you could even opt-out being publicly listed on the service.

Answer 2

The feature you describe exists, just not fully automatic. Go to HaveIBeenPwned and click Notify Me on the top. You can enter your email and it will notify you when a breach occurs and one of your passwords is leaked.

Now to your actual question: Why is this not automatic? I would reckon there are two three simple reasons for this:

• The sheer amount of emails is incredible, and very costly. Take Mailgun as an example: Their premium tier includes 100.000 emails for $90 a month. At first, that might sound like a lot. But you might have breaches with upward of 500 million email addresses in them. Loads of these might be inactive, but you cannot be sure, so you have to send out 500 million emails. A quick calculation (500 000 000 / 100 000 * 90 = 450 000) reveals incredible monthly costs. Simply said, HaveIBeenPwned probably simply does not have the resources.
• Trust. My guess would be that a very low percentage of the users that would be receiving such notifications actually know HaveIBeenPwned. So, getting an email from a service that you've never heard of and that you never signed up for is basically spam - and therefore a breach of trust.
• HIBP is not an authority on breach data. As @EsaJokinen has pointed out already, there are loads of providers out there that notify users on security breaches. Since there is no single authority on such notifications, imagine what would happen if all of those providers would send emails without an opt-in when your account occurs in a breach - you'd be bombarded with notification emails.