Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They can modify it to simply say whether your account was compromised, regardless of whether you have an account (ie, if no account -> not compromised).


...Which they ought to do. Offering the ability to enumerate user accounts is unlikely to be the immediate goal of this utility, but it's an effect nonetheless.


30 minutes later and it's fixed. Entering an invalid email also results in a "this email was not compromised" message.


That's what they're doing. "aijaspijasohisaho@asoihdshohdusudhs.com" gets a message saying that that account wasn't compromised.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: