Troy Hunt's breach counter hits 1,000 as disclosure lags stretch

Why it matters

HIBP's 1,000-breach milestone shows that breach response still has a timing failure: stolen data can circulate for weeks before victims receive official notice.

Troy Hunt (@troyhunt) has loaded the 1,000th data breach into Have I Been Pwned, the breach search and alert service he has run since 2013, and used the milestone to make a sharper point: victims are still learning about exposed data from leak sites and third-party services before they hear from the companies that lost it.

"Today, I loaded the 1,000th data breach into Have I Been Pwned," Hunt wrote in a post on his site. The number is not just a vanity marker for a widely used security tool. It is evidence that the breach-notification system still depends on an independent operator extracting email addresses from stolen datasets and warning people faster than many breached companies do.

Hunt, an Australian web security consultant, Microsoft Regional Director and MVP, created HIBP after the Adobe breach exposed how often the same accounts and passwords reappeared across dumps. Twelve and a half years later, HIBP's own homepage lists 1,003 pwned websites and 17,600,019,769 pwned accounts. The service is simple by design: search an email address, see where it appeared, and subscribe for alerts when it shows up again.

The lag is the story

Hunt's core example is Carnival Corporation. On April 24, the Have I Been Pwned (@haveibeenpwned) account said Carnival had been targeted in a ShinyHunters "pay or leak" attack, with 8.7 million records and 7.5 million email addresses published. HIBP said 85% of those addresses were already in its database.

Hunt wrote that news of the incident had surfaced five days earlier and that the stolen data had already spread through public and semi-public channels. Carnival then notified people on May 27, according to a Maine attorney general breach notice. Hunt cited Carnival's same-day press release as saying Carnival learned of the incident 43 days before that notice.

That timing matters because the exposed data was not limited to passwords or throwaway identifiers. Hunt said the Carnival dataset included names, dates of birth, email addresses, loyalty program details and the fact of a person's relationship with Carnival. In a May 28 post on X, Hunt wrote: "As recently as four days ago, we heard 'I'm in the breach per HIBP, but Carnival is telling me there's no breach!'"

The second example was Zara. On May 8, HIBP said that data containing 197,000 unique email addresses had been published after Zara was named as a ShinyHunters victim, with customer support records, product SKUs and order IDs in the impacted data. HIBP said 60% of the email addresses were already in its database. Hunt wrote that the notification lag there was 45 days.

Hunt is careful about the evidentiary limit. He says the broader worsening trend is anecdotal and that he does not have a hard dataset proving disclosure lag has statistically increased. But the recent examples are concrete enough to expose the operating gap: attackers can publish datasets immediately, HIBP can pull email addresses and alert subscribers quickly, while companies often wait for a full forensic and legal review before telling victims anything.

Why companies wait

The standard corporate answer is scope. Breached companies often say they need time to determine which systems were accessed, which records were taken, which jurisdictions apply, and which individuals are affected. That work is real. It also creates a convenient bottleneck: no early warning goes out while lawyers, forensics teams and executives reconcile the final notification package.

Hunt's counterargument is operational, not ideological. He writes that extracting email addresses and sending an early heads-up is straightforward compared with completing a full breach investigation. HIBP has effectively built its reputation on that narrow slice of the problem: identify affected addresses, notify people, and update detail as the public record improves.

That narrowness is also why HIBP remains useful despite GDPR, CCPA and other privacy laws that were supposed to impose discipline on breach handling. Regulation governs the official process. It does not stop extortion crews from publishing data first, and it does not guarantee that a victim learns about exposure before the dataset reaches forums, Telegram channels or other breach brokers.

The market force underneath Hunt's post is the professionalization of breach publicity. ShinyHunters and similar groups use named victims, leak sites and public pressure as part of the extortion cycle. Once a dataset is public enough for researchers, criminals and aggregators to download, the practical harm has already started. A company notice six weeks later may satisfy a legal workflow, but it does not help a victim decide whether to watch for phishing, reset reused credentials or monitor account abuse during the period when the data is freshest.

HIBP is not a substitute for a company's duty to investigate and notify. It is a pressure valve built by one founder because the official system still leaves victims waiting. The 1,000th breach shows the scale of that workaround. The recent Carnival and Zara timelines show why it has not become obsolete.