29
haveibeenpwned alternatives / data? (infosec.pub)
submitted 7 months ago* (last edited 7 months ago) by Deebster@infosec.pub to c/selfhosting@slrpnk.net
10 comments fedilink hide all child comments

My personal domain has hundreds of aliases - one for each site I deal with. This is great for identifying the source of spam, and I retire any aliases that get spam.

haveibeenpwned.com lets me add a domain, but wants 3912 USD a year to actually tell me which addresses leaked. This is obviously an insane price for a nice-to-have.

Is there an alternative for free or very cheap? A self-hosted tool that would pull down lists would be great, but I suppose those lists aren't public.

top 10 comments
sorted by: hot top controversial new old
[-] mistermodal@lemmy.ml 3 points 7 months ago

$4000 USD a year he better be delivering caviar to your doorstep (that shit is cheap now)

[-] BarbecueCowboy@lemmy.dbzer0.com 3 points 7 months ago

It's because of Enterprise contracts, for the things you can check off with HIBP... 4 grand is not a lot for them. But, then also if you offer a separate plan and just say 'no enterprise, we trust you', many businesses will just ignore the enterprise plan.

[-] vk6flab@lemmy.radio 2 points 7 months ago

I am not sure what you are talking about.

I have a domain registered and can see exactly which addresses have been compromised by what, without payment.

[-] Deebster@infosec.pub 4 points 7 months ago

I see this:

Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists). Only results for subscription-free breaches are shown below, upgrade your subscription to run a complete domain search. If you believe you're seeing this message in error, make sure you're signing in to the dashboard with the correct email address (check your latest receipt if you're unsure).

[-] vk6flab@lemmy.radio 3 points 7 months ago

Interesting.

I see a list of email addresses.

[-] Deebster@infosec.pub 4 points 7 months ago* (last edited 7 months ago)

~~Perhaps that message only shows up if some of the results are from the paid lists. For me, I don't see anything listed beneath, even though 34 addresses match, so I guess nothing's in the free lists.~~

edit: Looks like it's triggered on number of results:

Most domain searches are free. Once a domain has more than 10 breached email addresses on it, searching the domain requires a subscription. There are several ways to either reduce or entirely remove the need to have a subscription:

[-] vk6flab@lemmy.radio 3 points 7 months ago

That's interesting, since my list of addresses contains numerous ones that don't exist and nobody here has ever used.

[-] iz_ok@sh.itjust.works 2 points 7 months ago

Maybe not an exact fit for your situation and would take work but I use addy.io. solid and have had no issues with it for 4+ years.

[-] Deebster@infosec.pub 1 points 7 months ago

If it takes me on average 5 minutes to login and change an email address, it would take me about 1 days, 18 hours to change them all! It definitely looks worth it for others who want to start using aliases.

[-] 9tr6gyp3@lemmy.world 1 points 7 months ago

Just register a new domain and route that mail to your old domain.

this post was submitted on 07 Nov 2025
29 points (100.0% liked)

Self-hosting

4417 readers
5 users here now

Hosting your own services. Preferably at home and on low-power or shared hardware.

Also check out:

founded 4 years ago
MODERATORS
poVoq@slrpnk.net
sam_uk@slrpnk.net