Self-hosting

3866 readers

1 users here now

Hosting your own services. Preferably at home and on low-power or shared hardware.

Also check out:

founded 3 years ago

MODERATORS

poVoq@slrpnk.net

sam_uk@slrpnk.net

haveibeenpwned alternatives / data? (infosec.pub)

submitted 2 weeks ago* (last edited 2 weeks ago) by Deebster@infosec.pub to c/selfhosting@slrpnk.net

11 comments fedilink hide all child comments

My personal domain has hundreds of aliases - one for each site I deal with. This is great for identifying the source of spam, and I retire any aliases that get spam.

haveibeenpwned.com lets me add a domain, but wants 3912 USD a year to actually tell me which addresses leaked. This is obviously an insane price for a nice-to-have.

Is there an alternative for free or very cheap? A self-hosted tool that would pull down lists would be great, but I suppose those lists aren't public.

top 11 comments

sorted by: hot top controversial new old

[–] kungen@feddit.nu 8 points 2 weeks ago (2 children)

If I recall, the founder had some workaround for situations like you describe. I am in the same situation but I didn't have the effort to care enough to do all that hassle.

[–] Deebster@infosec.pub 2 points 2 weeks ago* (last edited 2 weeks ago)

It's entirely possible that my best fix is just to delete my haveibeenpwned account and react when I get spam, but where's the fun in that?

[–] Deebster@infosec.pub 1 points 2 weeks ago* (last edited 2 weeks ago)

The founder was asked to provide a subscription level for individual domains and he said no and pointed people at the suggestion to search manually or occasionally pay for a month instead.

HIBP subscriptions can be taken out monthly and cancelled at any time. If the appearance of your domain in a breach is infrequent, you can take out a one month subscription then immediately cancel it after performing the search (the subscription will remain active until the entire month period has elapsed).

[–] iz_ok@sh.itjust.works 2 points 2 weeks ago (1 children)

Maybe not an exact fit for your situation and would take work but I use addy.io. solid and have had no issues with it for 4+ years.

[–] Deebster@infosec.pub 1 points 2 weeks ago

If it takes me on average 5 minutes to login and change an email address, it would take me about 1 days, 18 hours to change them all! It definitely looks worth it for others who want to start using aliases.

[–] vk6flab@lemmy.radio 1 points 2 weeks ago (1 children)

I am not sure what you are talking about.

I have a domain registered and can see exactly which addresses have been compromised by what, without payment.

[–] Deebster@infosec.pub 3 points 2 weeks ago (1 children)

I see this:

[–] vk6flab@lemmy.radio 3 points 2 weeks ago (1 children)

Interesting.

I see a list of email addresses.

[–] Deebster@infosec.pub 3 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

~~Perhaps that message only shows up if some of the results are from the paid lists. For me, I don't see anything listed beneath, even though 34 addresses match, so I guess nothing's in the free lists.~~

edit: Looks like it's triggered on number of results:

Most domain searches are free. Once a domain has more than 10 breached email addresses on it, searching the domain requires a subscription. There are several ways to either reduce or entirely remove the need to have a subscription:

[–] vk6flab@lemmy.radio 3 points 2 weeks ago

That's interesting, since my list of addresses contains numerous ones that don't exist and nobody here has ever used.

[–] 9tr6gyp3@lemmy.world -3 points 2 weeks ago

Just register a new domain and route that mail to your old domain.