Have I Been Pwned Overhauls Plans, Adds Passkeys and K-Anonymity Search

Have I Been Pwned is rolling out its biggest feature update in years, restructuring its subscription tiers into Core, Pro, High RPM, and Enterprise plans while adding several privacy and scalability improvements. The most significant technical addition is k-anonymity for email searches - previously, API queries sent full email addresses to HIBP servers, but the new system hashes and truncates the identifier so the service never sees the complete address, mirroring the approach already used for password lookups.

The update also introduces passkey authentication for subscriber accounts, bulk domain verification via DNS and email APIs, and automatic subdomain verification under a proven apex domain. Managed service providers are now explicitly permitted to use HIBP on behalf of their clients under the Pro and High RPM tiers, backed by new API automation that eliminates the old manual, one-at-a-time domain onboarding process.

Performance work underpins the release as well - Troy Hunt highlights massive speed improvements to handle the service’s current scale of tens of millions of daily API queries and hundreds of millions of password searches. The restructured plans aim to better separate entry-level individual use from the needs of large organizations and MSPs monitoring thousands of domains across the Fortune 500 and beyond.