Breaches happen every day and a new threat actor pops on the dark web selling databases (Zomato 2017, Ixigo, BigBasket 2021 etc). I come across them on a regular basis and so do malicious actors who procure such databases at a minimal cost and leverage the information in these databases (credential stuffing/re-use) and do further damage. Such information can be dominantly seen on the surface web as well (it may be outdated).
Point being, keep a track of your emails and where you’ve used them, regularly check for leaks in data breaches, frequently change passwords and use multi factor authentication (Authy) wherever possible!
Hands down my first recommendation to folks to validate if their information (emails, passwords, IP, other PII) has ever been leaked as a part of any data breaches.
How would that be possible? It can only verify the information using a breached database which is submitted to/accessed by the HIBP team. If you update/modify any settings on your account, it will not be visible to anyone else other than yourself.
At this point, I’m not even sure what you mean. Of course you can check whether you’re listed in a breach or not, despite opting for a notification or doing it manually.
I thought your point was how would HIBP know whether you’ve changed your password/enforced 2FA. They can’t.
Yes, it will be listed along with the dates when their info was listed in a breach. So if my password was leaked in a breach that happened in 2017 and I changed my password in 2021; I’m good, simple as that.