HaveIBeenPwned

When you log in, Emberly silently checks whether your password appears in the HaveIBeenPwned (HIBP) database of over 10 billion compromised credentials.

How It Works

Your password is never sent to HIBP. The check uses k-anonymity:

1. Your password is hashed with SHA-1 — locally in the browser
2. Only the first 5 characters of the hash are sent to HIBP
3. HIBP returns all hashes that start with those 5 characters
4. Your browser checks whether your full hash is in the list
5. The password itself never leaves your device

Login Flow

You enter password and click "Sign in"
           ↓
HIBP check starts (non-blocking)
           ↓
Sign-in request proceeds simultaneously
           ↓
     ┌─────┴──────┐
  Breach?     No breach?
     │              └─ Login succeeds, no warning
     ↓
 You are logged in successfully
 + warning banner shown
 + Options: "Change Password" or "Continue Anyway"

The Warning

When your password is found in HIBP:

• You are still logged in — it's informational, not a blocker
• You see a banner explaining the breach
• The number of times the password appears in breach databases is shown
• You can click "Change Password" to update immediately, or "Continue Anyway"

Why This Matters

Credential stuffing attacks — where attackers use leaked username/password pairs from other sites — are one of the most common account takeover methods. Even if your Emberly account is secure, a reused compromised password puts you at risk.

Privacy Guarantees

HIBP is a free, privacy-focused service operated by Troy Hunt. See haveibeenpwned.com for details on their privacy policy.

If You See a Warning

1. Don't panic — your Emberly account itself is not breached
2. Click "Change Password" and set a unique, strong password
3. Check your other accounts — if you used the same password elsewhere, update those too
4. Consider using a password manager for unique credentials per site