Troy Hunt: Who Decides Who Doesn’t Deserve Privacy?

The Ashley Madison breach happened over a decade ago, yet it remains the most noteworthy data breach in history. Not because of its scale, but because of what happened afterward. The site facilitated extramarital affairs, which meant massive social stigma attached to anyone exposed. What followed was unprecedented: websites dedicated to outing members, churches contacting spouses, media publishing names, and radio stations encouraging listeners to check if their partners were in the data.

At the time, I introduced the concept of a sensitive data breach before the data even went public. Have I Been Pwned wouldn't show results for Ashley Madison publicly because I was concerned about the human impact. My worst fear was a spouse coming home to find someone had taken their own life, with an HIBP search result on the screen. People did die. Marriages ended. Lives were destroyed. Jobs were lost. The human toll was profound.

The Moral Justification Problem

Many people justified the public doxing on moral grounds: "adultery is bad, they deserve to be outed." This attitude reveals two massive problems.

First, the assumption that an email address in the breach means the person was there for an affair is fundamentally flawed. People joined Ashley Madison for many reasons. Single people joined, then married later. Suspicious spouses created accounts to catch cheating partners. Accounts were created with other people's names and email addresses without consent—there are many "Barrack Obamas" in the data.

Should everyone with an email address on Ashley Madison be considered an adulterer? Obviously not. That completely misses the nuance of what an email address in a data breach actually represents.

Second, our personal belief systems cannot be the basis for outing people whose beliefs differ. I use generic terms like "extramarital affair" because HIBP flags many breaches for the same reason. Fur Affinity gets flagged because furries face social stigma. Rosebutt Board gets flagged because some people enjoy activities others find objectionable.

The WhiteDate Catalyst

The recent WhiteDate breach brought this issue to a head. The site ostensibly helps white people date other white people. I flagged it as sensitive, which prompted angry responses:

"U are a Nazi end of story" "Context matters. U are literally shielding Nazi hate mongering scoundrels. We can't doxx white supremacists? If ISIS had a dating site & it got breached, would you protect it out of fear of doxxing? No."

This reaction is exactly why I need to explain these decisions. The user asks what I'd do if ISIS had a dating site. The answer is straightforward: yes, I would flag it as sensitive.

Legal Definitions vs. Moral Judgments

Contrary to the claim that "every database leaked is sensitive," there are clear legal definitions for sensitive personal information. These include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade-union membership
• Genetic data
• Biometric data processed solely to identify a human being
• Health-related data
• Data concerning a person's sex life or sexual orientation

An ISIS dating site breach would check many of these boxes, making it legally sensitive. This isn't an endorsement of their ideology—it's a data processing decision based on established legal frameworks.

When Illegal Activity Enters the Picture

There's a crucial distinction between morally objectionable content and illegal activity. Recently, I flagged an "AI girlfriend" site called Muah.ai as sensitive after a breach exposed 1.9 million email addresses. The data included AI prompts describing sexual images, including child exploitation material.

Most users were just lonely people creating AI companions without inappropriate prompts. Some email addresses were added without the owners' knowledge. But one specific case was repulsive: a professional's Gmail address, linked to their LinkedIn profile showing their name, job title, company, and photo, matched to a prompt describing illegal sexual content involving minors.

I sat with my wife looking at this person's professional profile, knowing what they'd written. It was disgusting. And clearly illegal.

The Right Approach

I contacted law enforcement agencies worldwide and ensured they received the data. Involving law enforcement when datasets contain illegal activity is absolutely correct. But being the vehicle for public shaming without due process is not.

Why This Matters for HIBP

Imagine if HIBP were used to publicly shame someone as a "Nazi," and that led to serious real-world consequences. Whether the accusation was accurate or not, the ramifications for HIBP could be severe—potentially enough to shut down the service entirely.

The Ashley Madison examples show there are also potentially life-threatening outcomes for individuals. After twelve years of running HIBP, I've considered individual privacy and rights hundreds of times. These conclusions aren't arrived at hastily.

Privacy as a Human Right

This all connects to something fundamental: privacy is literally a human right under Article 12 of the Universal Declaration of Human Rights:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Breaches with legally defined sensitive data will continue to be flagged as sensitive. Breaches with illegal data will continue to be forwarded to law enforcement. This approach protects HIBP's ability to operate while respecting fundamental human rights—even for people whose beliefs and actions we find reprehensible.

The alternative, using breach data as a weapon for public shaming, creates a dangerous precedent that ultimately harms everyone. It turns a security tool into a vigilante instrument, and that's something I will never allow Have I Been Pwned to become.