Why don’t services like Have I Been Pwned send email if you haven’t signed up?


When a database is breached and my password and email have been leaked I can go onto have I been pwned? and I can see that my password has been leaked. But why wouldn’t the service send out an email notifying me of my leaked password WITHOUT signing up for getting notified?

In my experience, a lot of senior people find out that their password management is poor (same password everywhere) after they’ve been hacked and potentially lost money. Now they could’ve received an email notifying them of all their hacked passwords and the shock could force them to use a password manager.

I think the main reason this doesn’t exist is that there are way too many emails to send. If you sum up a list of leaked services for every user, you’d have to send millions or billions of emails (even if spread out over multiple years) and this would probably get you blocked on every mail service.

What are the other reasons that this service doesn’t exist?