Have I Been Pwned (HIBP) is launching a major update with several new features and plan restructuring. Key additions include: k-anonymity searches for email addresses (similar to the existing Pwned Passwords approach), two new automated domain verification APIs (via DNS and email), auto-verification of subdomains for apex domain owners, passkey support for dashboard login, and a significant API performance improvement (~40% reduction in time-to-first-byte) by making rate limit checks asynchronous via Cloudflare Workers. Plans are being reorganized into Core, Pro, High RPM, and Enterprise tiers. MSPs can now use HIBP to monitor customers' domains under Pro and High RPM plans. Existing subscribers are protected from pricing changes until at least August 2025, with renewals potentially as late as August 2027.
Table of contents
New Features, New PlansSupporting MSPs Monitoring on Behalf of Third PartiesAutomating Domain VerificationAuto-verifying SubdomainsBringing K-Anonymity Searches to the MassesUnsmoothing the API Rate LimitWe Just Wanna Go (Even) Fast(er)Passkeys!All the Plans and Future Changes for Existing SubscribersWe're Still Doing Credit Cards via StripeSummarySort: