This notification from HIPB about the Not SOCRadar breach made me think how damn hard of a job @troyhunt is doing.
My first reaction was "why would he load this" but after reading the #socradar report I think I understand.
But if my understanding is correct there is so many levels of infosec-meta here.
I think (correct me if I'm wrong) that this breach is actually a indication of the email being in a stealer log.
Which is bad.
And nither the SOCRadar writeup nor Troy's description of the breach explain this.
So I thought I would write up a suggestion for how to improve the description to include this.
But I very quickly got stuck because there is actually very little known about this and assumption and guesses are likely to add to the confusion.
We have no idea if the email/credentials was stolen last month, or five years ago, or if it was just in some random compilation of public emails in a telegram channel.
So in the end, I think keeping it to "known" facts like Troy does makes sense.
But... what is the value then? If the goal is to help people know if they are breached, knowing that it was in this report gives absolutely zero info to anyone.
Except if this is the ONLY breach the email was in. Because that might indicate the breach is actually recent.
But figuring this out is again so many levels down that I doubt many can draw that conclusion.
So was it worth loading this or not? I don't know. The fact that there was 19% new emails seems to indicate it was indeed worth it as those people have not previously received any notification. But for the 81% that were already in, the additional notification seems to provide very little value.
So in the end, I think where I'm ending up is that it would be useful if the notification email had a bit more information. That would save me having to HIPB, send verification, log-in, Ctrl+F the new breach and try to figure out if this is a new breach or a repacking.
decio 
Datenleck bei Microsoft: Interne Passwörter öffentlich zugänglich
