Have I Been Pwned (HIBP) contains seemingly "fake" email addresses because it extracts any string matching valid email format (alias@domain.tld) from breach data, without verifying if actual mailboxes exist behind them. These addresses appear in breaches because websites often store unverified email addresses in their databases before users complete email verification. The service processes 7 billion unique addresses, making individual mailbox verification impossible. The extraction logic is open source and follows RFC standards for email structure, not deliverability.

5m read timeFrom troyhunt.com
Post cover image
Table of contents
What is an Email Address?How Do "Fake" Email Addresses End up in Real Websites?How Can I Be Really Sure Actual Fake Addresses Aren't in HIBP?Conclusion
6 Comments

Sort: