June 7, 2026

Leaked now, told later

Article URL →HN comments →

1k Data Breaches Later, the Disclosure Lag Is Worse

1,000 leaks in, and companies are still taking weeks to tell people their data is out there

TLDR: A breach-tracking site hit its 1,000th case, but the bigger scandal is that major companies like Carnival and Zara waited more than six weeks to warn people after data was already spreading online. Commenters were furious, with many saying firms have no reason to be honest quickly and others joking that everyone should just assume every account is doomed.

The big milestone here is almost absurd: 1,000 data breaches added to Have I Been Pwned, the public site that lets people check whether their personal information showed up in a leak. But the real outrage wasn’t the number — it was the waiting game. In the Carnival case, millions of records were reportedly posted online in April, yet customers weren’t told until 43 days after the company learned of the incident. Zara? Even worse, with a 45-day delay. The community reaction was basically one giant scream of: how is this still happening?

And the comments? Pure doom, sarcasm, and survival tips. One camp was furious at companies, asking the obvious question: what business incentive is there to tell us quickly at all? Another group went full internet nihilist, saying people should now assume every account will be leaked eventually and just prepare accordingly with different email tricks, strong passwords, and two-step verification. Then came the spicy side debate: some commenters said Have I Been Pwned itself is no longer enough, because other services show exactly what leaked instead of just waving a red flag.

The darkest humor came from the “we’re cooked” crowd, with one commenter blaming rushed app updates and overworked review systems for a future packed with even more leaks. The vibe was clear: people don’t just distrust hackers — they’re losing patience with the companies acting like silence is somehow customer care.

Key Points

  • The article marks the 1,000th breach added to Have I Been Pwned and argues that the service remains necessary because breach disclosures are still delayed.
  • Troy Hunt cites Carnival as an example, saying 8.7 million records and 7.5 million email addresses were published on April 24, 2026 after a ShinyHunters-linked attack.
  • According to the article, Carnival notified customers on May 27, 2026, 43 days after learning of the incident.
  • The article says leaked Carnival data spread quickly across dark-web and clear-web sites, hacking forums, and Telegram channels before official notification.
  • Hunt also cites a Zara case linked to ShinyHunters, saying published data included 197,000 unique email addresses and that disclosure lag reached 45 days.

Hottest takes

"Is there ANY business motivation for any corporation to open such information up sooner than later?" — zx8080
"At this stage just expect that every accounts will get leaked or rooted, it's a matter of when, not if..." — keyle
"It's not needed... alternatives... actually show you what data leaked" — charcircuit

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.