Have I Been Pwned (HIBP) is one of the most widely recognised tools in cybersecurity. Created by security researcher Troy Hunt, it lets anyone check whether their email address has appeared in a known data breach — for free.

For individuals checking personal accounts, it's genuinely useful.

For businesses trying to protect their employees, customers, and operations? It's a starting point — but a dangerously incomplete one.

This guide explains what HIBP covers, where it falls short for business use, and what organisations actually need to monitor their dark web exposure effectively.

What Have I Been Pwned Actually Does

HIBP is a searchable database of publicly disclosed data breaches. When a major breach occurs — LinkedIn in 2016, RockYou2021, Adobe, Dropbox, and thousands of others — and that data eventually becomes public, Troy Hunt's team ingests it into the HIBP database.

You enter an email address, and HIBP tells you which known breaches that email appeared in, and what type of data was exposed (passwords, phone numbers, addresses, etc.).

HIBP for business (via the paid notification API or Domain Search feature) extends this to entire domains — you can check how many employee email addresses at your company appear in known breaches.

This is genuinely useful baseline intelligence. The problem is what it doesn't cover.

Where HIBP Falls Short for Business

1. It Only Covers Publicly Disclosed Breaches

HIBP's database consists of breaches that have been made public — either by researchers, journalists, or because the data was openly shared. This represents a small fraction of actual dark web activity.

A significant volume of stolen credentials never appears in public breach disclosures. They're traded privately in closed Telegram groups, sold on dark web marketplaces, or weaponised directly by the attackers who stole them. If your employee's credentials are in a private criminal channel that hasn't been publicly disclosed, HIBP will never find them.

2. It Has No Stealer Log Coverage

Stealer logs are the most dangerous credential source in 2025, and HIBP does not monitor them.

Infostealer malware — RedLine, Vidar, Raccoon, LummaC2 — infects employee devices and silently extracts every password stored in the browser, every active session cookie, every saved credential. This data is then sold in bulk on Telegram channels and dark web markets like Russian Market.

Stealer log data is fresh, targeted, and often contains active session tokens that give attackers direct access without needing to crack a single password. HIBP does not index stealer log marketplaces.

3. Coverage Lag Can Be Months or Years

Even for breaches that HIBP does cover, there's typically a significant lag between when data is stolen, when it's traded on the dark web, and when it's eventually made public and added to the HIBP database.

The average time between a breach occurring and public disclosure is 200+ days. During that window, attackers have had free access to those credentials. A tool that only reports on publicly disclosed breaches is telling you about threats that are already old.

4. No Telegram or Forum Monitoring

The most active current-day threat intelligence comes from Telegram dump channels — communities with hundreds of thousands of members that share fresh credential leaks, stealer log exports, and access sales in real time.

These channels operate completely outside the public internet. HIBP has no visibility into them whatsoever.

5. No Contextual Intelligence

HIBP tells you an email address appeared in a breach. It doesn't tell you:

• Whether that email-password combination is actively being sold right now
• Whether the user's device has been compromised by a stealer
• Whether a threat actor is specifically targeting your company
• Whether phishing domains mimicking your brand have been registered
• What the risk severity of each finding is

For a security team trying to prioritise what to remediate, raw breach matches without context create noise, not signal.

HIBP vs. DarkVault: Feature Comparison

So Who Is HIBP Actually Right For?

HIBP is excellent for:

• Individuals checking whether personal accounts have been caught in known breaches
• Security teams using it as one data source among many in a broader threat intelligence programme
• Initial triage — a quick check to understand baseline historical breach exposure before deploying a more comprehensive solution

HIBP is not sufficient as a standalone business solution for any organisation that handles sensitive customer data, has employees with privileged system access, or operates in regulated industries.

The Real Risk of Relying on HIBP Alone

The SolarWinds breach wasn't discovered through a public breach database. The Okta breach notifications didn't come from HIBP. The Lapsus$ attacks that hit Microsoft, Okta, and Samsung? They were orchestrated using credentials sold on Telegram — data that never appeared in any public breach disclosure.

These are the threats that matter most to businesses in 2025, and they're exactly what HIBP cannot see.

The average organisation has 847 exposed credentials on the dark web that HIBP has never indexed. Find out your number — run a free scan of your domain in under 60 seconds, no registration required.

What Businesses Need Instead

A business-grade dark web monitoring solution should cover:

All credential sources — not just public breach databases, but stealer log markets, Telegram channels, paste sites, and dark web forums where credentials are actively traded.

Real-time detection — alerts within minutes of a new finding, not daily or weekly digests of old data.

Contextual risk scoring — telling you not just that a credential was exposed, but how dangerous that exposure is and what to do about it.

Brand and domain monitoring — because attackers don't just steal credentials, they also impersonate your brand to harvest more of them.

Stealer log intelligence — identifying which devices in your organisation may be actively compromised.

Integration with your security stack — so alerts flow into your SIEM, SOAR, or Slack workspace automatically.

Using Both Together

HIBP and a dedicated dark web monitoring platform aren't mutually exclusive. HIBP is free, well-maintained, and useful as a historical reference point. It makes sense to use it alongside a real-time monitoring platform — not as a replacement for one.

Think of it this way: HIBP tells you which doors were already broken into. DarkVault tells you which doors attackers are actively trying right now.

Start with a free domain scan to see what's currently visible about your organisation on the dark web — including sources HIBP will never show you.

Frequently Asked Questions

Is HIBP free for businesses? The basic search is free. The domain search and notification API (which lets you monitor all email addresses at a domain) require a paid subscription. However, even the paid tier only covers the same public breach data as the free version.

Can HIBP replace a dark web monitoring service? No. HIBP covers a different and much smaller slice of the threat landscape than a dedicated dark web monitoring platform. It's best used as a supplementary tool, not a primary defence.

How do I check if my company's data is on the dark web? Start with the free domain scan at DarkVault — it checks across dark web forums, stealer log markets, Telegram dumps, and breach databases simultaneously. You'll see results in under 60 seconds with no registration required.

What is a stealer log and why should I care? A stealer log is a credential dump created by infostealer malware that infected an employee's device. Unlike breach database leaks, stealer logs often contain active session tokens, browser-stored passwords, and system information — giving attackers immediate access rather than just a username and password to crack. See our full guide on stealer logs for more detail.