Troy Hunt ships MCP server for Have I Been Pwned, opens HIBP to agentic AI

Have I Been Pwned now exposes a Model Context Protocol endpoint at haveibeenpwned.com/mcp, letting agentic AI tools like Claude, ChatGPT, and GitHub Copilot query breach and stealer-log data under a user’s API key. Hunt demonstrates the workflow through OpenClaw driven by a Telegram bot, showing how natural-language prompts can replace CSV exports and custom API scripts for tasks like enumerating which employees of a domain appeared in a given breach.

The more interesting payoff comes from Pro-tier stealer log access, where agents surface which third-party services employees logged into using corporate email addresses, including gaming platforms and unfamiliar sites worth investigating. Because the agent runs tasks asynchronously, users can schedule ongoing monitoring of family or domain addresses, auto-flag functional accounts in new breaches, and generate visualisations or executive reports without writing code.

Next on HIBP’s roadmap: native connectors for Claude and ChatGPT backed by an OAuth layer so end users authenticate directly rather than pasting API keys into agent configs. Hunt frames the broader shift, citing Cloudflare’s new natural-language dashboard, as AI collapsing the gap between non-technical users and technical outcomes previously gated behind developer effort.