Have I Been Pwned likely to ban resellers from buying subs, citing ‘sh*tty behavior’ and onerous support requests – Source: go.theregister.com

Troy Hunt, proprietor of data breach lookup site Have I Been Pwned, is likely to ban resellers from the service.

Have I Been Pwned (HIBP) has gathered data stolen in 866 breaches and appearing at thousands of paste sites, and allows anyone to search for email addresses or text that trove contains. If personal info is present in a data breach or paste site, HIBP advises users of the fact. Folk who find their addresses were pwned hopefully go on to do sensible things like reset passwords and enable multi-factor authentication.

HIBP also offers paid subscriptions that allow access to an API that handles bulk queries of its database. The subs range from $39.50 a year to $1,370.

In his weekly update posted February 9th, Hunt explained that he suspected resellers were among his most difficult customers for those subs. Fueling that hunch was a support ticket lodged by a reseller that revealed they had marked up the price of the subscription from $1,100 to $2,544.

Hunt decided to crunch some numbers and quickly learned that just 0.86 percent of HIBP subscribers are resellers, but so far in 2025 they lodged 15.6 percent of support tickets. Further analysis suggested reseller support requests were more complex and took five times longer to handle than other queries.

After assessing those numbers, Hunt said “In all likelihood, probably this coming week, I think we’re just going to ban resellers. I think we’re just going to kick them off all together.”

Hunt said he’d drafted a blog post to explain the decision and hoped to post it this week. At the time of writing, no post has appeared.

Hunt told us he’s decided to delay his decision.

In conversation with The Register, Hunt said he is now “Very, very, strongly inclined” to stop working with resellers, and plans to make a decision “in coming weeks.”

He told us HIBP feels allowing resellers to acquire subscriptions is “extraneous” to the business, which has tried to make its subscriptions as simple as signing up for a streaming video service. He’s worked with resellers to help those who can’t pay by credit card or must follow formal procurement processes that don’t permit direct purchases.

• A million Australian pubgoers wake up to find personal info listed on leak site
• SCC, one of Europe’s largest resellers, orders staff back to their desks for three days a week
• Microsoft’s spat with ValueLicensing limps toward 2026 showdown
• Have I Been S0ld? No, trusted security website HIBP off the table, will remain independent

Hunt hopes to find a middle ground by developing automations that mean most reseller requests can be handled without human intervention, but feels they’ll continue to consume a disproportionate amount of support resources.

“Every time they come up for renewal they want a new quote,” he told The Register, in contrast to other customers that understand how subscriptions work, and that HIBP will occasionally hike prices.

In the video, Hunt bemoans one reseller who asked for a price rise to be reversed because their end-customers wouldn’t pay it. Another sent a long list of questions about matters including a returns and cancellations policy, to which Hunt retorted “What do you mean ‘return’? It’s a subscription. How do you return your Netflix subscription?”

Hunt cited the incidents in the above paragraph as representative of “shitty” behavior from resellers. He promised to find ways to work with customers who currently acquire HIBP through a reseller.

He’s fonder of managed service providers (MSPs), who he feels add useful value.

The video also reveals that HIBP has automated responses to requests to have personal information removed from its data trove. Hunt said some people want all of their info removed, others are content to have their info retained without being publicly searchable, while some want their data excluded in records of new data breaches. HIBP previously explained those options in response to erasure requests. Now it’s built tech to automatically determine which of the three options people want, saving it a bit of time. ®