Leaks Happen. The Real Risk Is the Link Between Them. (Our Manifesto)

In October 2025, Troy Hunt loaded a dataset into Have I Been Pwned that contained roughly 2 billion unique email addresses and 1.3 billion unique passwords pulled from credential-stuffing logs. HIBP now indexes more than 15 billion compromised accounts across 900-plus breaches. If you have used the internet for more than five years, you are in there. Probably several times.

We built Leak Check Me on a simple read of that fact: leaks are the climate, not the weather. You cannot stop them. What you can do is make your leaked data useless to the person on the other end. That is the entire mission, and this post is the worldview behind it.

One-sentence answer: Data leak protection is not about deleting what already leaked — it is about preventing leaked fields from being joined with public-records data to form an identity an attacker can actually use.

TL;DR

• Breaches are inevitable; HIBP indexes roughly 15 billion accounts and adds hundreds of millions more each year.
• A single leaked field (one password, one card number) is recoverable — you rotate, reissue, move on.
• Real harm happens when leaked fields get joined with broker-sold public-records data: address, phone, employer, family.
• That joined profile is what enables doxxing, SIM-swap, AI voice scams, and stalking. Your profile is the attack surface.
• The privacy industry sells "remove your data" but leaked data is gone forever. The fix is breaking the link between sources.

Leaks are the climate

Hunt's billions-of-records dataset is the tip of what's out there. In a single month in late 2025, the Pwned Passwords API served 17.45 billion lookup requests. That is what active credential abuse looks like at scale — automated scripts hammering login pages with leaked combos, hoping for a hit.

The credentials inside those dumps came from everywhere. LinkedIn in 2012. Adobe in 2013. Yahoo (twice). Marriott. Equifax. T-Mobile. Snowflake customers in 2024. The pipeline never stops because the incentives for attackers never change and the average web app's security posture is not improving fast enough to outrun them.

So when someone says "I'll help you avoid breaches," be skeptical. You cannot avoid weather by buying a different umbrella every month. You can plan for it.

A leaked field, by itself, is recoverable

This is the part nobody in privacy marketing says out loud because it ruins the pitch.

If your Adobe password leaked in 2013, you rotated it (we hope) and the attacker is left with a string of characters that no longer unlocks anything. If your card number leaked from Target, your bank reissued the card and the old number is dead plastic. If your Yahoo email leaked, the email itself still works, but knowing your email isn't, by itself, an exploit.

Single fields are like single puzzle pieces. They are interesting in a vacuum. They are dangerous in a stack.

The real harm is the join

Here is the move that actually hurts you, and it has nothing to do with the breach itself.

An attacker buys your email and an old password from a credential dump on a forum. Fine, you've rotated it. But then they pull your full name, current home address, your phone number, your employer, your mother's maiden name, and your relatives' names off a people-search site that sourced its data from county records, voter rolls, and other commercially scraped sources. They cross-reference the email from the breach with the address from the broker. Now they have a person, not a record.

That joined profile is the attack surface. It unlocks:

• SIM swap. Carrier rep gets a call from someone who knows your address, last four of your SSN (also for sale), your phone number, and your birthday. They port your line.
• Account recovery hijacks. Banks and email providers ask security questions a stranger can now answer.
• AI voice scams. A 30-second clip of your voice from a podcast, an Instagram reel, or a leaked Zoom recording is enough to clone you. The attacker then calls your mom (whose number they bought) and asks for emergency cash.
• Stalking and doxxing. The address from a broker plus the schedule from your public LinkedIn equals a physical-world threat.
• Targeted phishing. A scam that names your spouse, your employer, and a recent purchase will land where a generic one wouldn't.

None of these attacks require a fresh breach. They require the combination of one old leaked credential and a live, broker-fed public profile. The combination is the weapon.

The "delete me" pitch is half the story

Most data-removal services promise to "erase you from the internet." That phrase is doing a lot of work it cannot back up. Leaked databases that already changed hands are not coming back. Nothing scrubs the credential dumps on a Telegram channel in 2019. Nothing erases the stolen-card vendor's CSVs.

So if the leaked stuff is gone for good, what can you actually do?

You can collapse the join. You can make sure the still-active half of the attacker's recipe — your current address, phone, employer, family network — isn't sitting on a $4 people-search profile that any high-school cyberbully can pull in two clicks. That is what shrinks the attack surface in a way that matters.

What "scrubbing the link" actually means

Concretely, three things:

1. Remove your current personally identifying information from the brokers that surface it. That's Spokeo, Whitepages, BeenVerified, Radaris, MyLife, Intelius, plus another ~150 sites that scrape and resell. Opt-outs work, but they have to be filed correctly and they expire.
2. Patrol for relistings. Brokers reaggregate every 30–90 days from public-records feeds. A one-time removal is real but temporary. Persistent monitoring is the difference between a clean profile and a clean week.
3. Break the linkage where you can. Use a unique email for high-stakes accounts. Move 2FA off SMS. Don't post your real birthday on social. Don't reuse passwords. The point isn't to be invisible (you won't be) — it's to make joining your remaining footprint expensive and unreliable.

That is data leak protection that actually maps to how attacks work in 2026.

Why this is so hard to fix at scale

A few honest reasons.

The supply side is huge. The data broker industry is worth roughly $290 billion globally in 2025, with thousands of brokers operating across the US, EU, and Asia. Every opt-out you file is one filing into a 5,000-broker ocean.

Public records keep flowing. County recorders, DMVs, voter rolls, and utility hookups feed the brokers constantly. Even a perfect opt-out today will be reversed by the next data refresh.

The government is a customer, not a regulator. Federal agencies including ICE, DHS, and the FBI buy bulk location and identity data from brokers without warrants — the so-called data broker loophole. The same companies you're asking to take you off their list are paying customers of agencies that benefit from the list existing.

Some "privacy" companies are part of the problem. Mozilla dropped OneRep in March 2024 after Krebs reported its CEO had founded the very kind of people-search sites OneRep claims to scrub. Avast's parent was fined $16.5 million by the FTC for selling user browsing data through subsidiary Jumpshot. The privacy industry has trust debt of its own.

That is the terrain. It is not a reason to give up; it is a reason to be precise about what you are paying for.

What you can do today

1. Check what's already out there. Run your email through Have I Been Pwned and search your own name on Spokeo, Whitepages, and BeenVerified. The result is your starting profile.
2. Rotate any password tied to a known breach. Use a password manager. Make every login unique.
3. File opt-outs at the top six people-search sites — Spokeo, Whitepages, BeenVerified, Radaris, MyLife, Intelius. Bookmark the URLs; you'll be back.
4. Set a calendar reminder for 60 days from now to re-check. Most relistings show up by then.
5. Move SMS 2FA to an authenticator app for your email, bank, and any account tied to your phone number.

The pitch, plainly

We built Leak Check Me because nobody else was framing the problem the way it actually works. The pitch is small and honest: a $20 one-time scrub mission across the major broker sites that surface your name, address, phone, family, and employer, plus optional monthly patrol to catch relistings before the next attacker does. We don't claim to erase the dark web. We don't claim to delete leaks that already happened. We help prepare eligible opt-out requests after authorization, track verified progress, and watch for the join.

Find the leak. Scrub the link. If that framing makes sense to you, start a scrub mission at leakcheckme.com.

Sources

• Troy Hunt — 2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned (2025)
• Have I Been Pwned
• Grand View Research — Data Broker Market Size & Industry Report
• Electronic Frontier Foundation — FTC Report Confirms: Commercial Surveillance Is Out of Control (Sept 2024)
• Krebs on Security — Mozilla Drops Onerep After CEO Admits to Running People-Search Networks (March 2024)
• FTC — Order against Avast for Selling Browsing Data ($16.5M, 2024)