Have I Been Pwned built the category. It’s a respected, well-maintained service that has helped millions of individuals understand their breach exposure. But for security teams, fraud platforms, MDR providers, and identity monitoring products operating at enterprise scale, HIBP was never designed for what you’re trying to build.
Constella’s Identity Intelligence API covers more breaches, more records, more identity attributes, and the entire infostealer threat surface that HIBP does not index at all. This page shows you exactly where the differences are, and why they matter.
The Numbers at a Glance
3.6x
More records than HIBP
63B+ Constella records vs. 17.5B HIBP records
49x
More breaches than HIBP
23,500+ Constella breaches vs. 973 HIBP breaches
81x
More breaches ingested in 2025 alone
Constella processed 81x more breach events than HIBP in the past year
392%
Constella breach growth since 2021
HIBP grew 17% in the same period
0
Infostealer packages in HIBP
HIBP does not index infostealer data. Constella processed 51.7M packages in 2025.
300+
Identity fields Constella processes per record
HIBP outputs email, breach name, and exposed field labels only
What Have I Been Pwned Is
Have I Been Pwned (HIBP) is a free, publicly available breach notification service created by Troy Hunt in 2013. Its core function is simple: enter an email address and learn whether that address appears in any of the breaches HIBP has indexed. It is widely trusted, well-maintained, and genuinely useful for individual awareness.
HIBP also offers a paid API that allows organizations to query breach data programmatically, a Pwned Passwords service for checking password exposure, and limited domain monitoring. For individual users, small teams, and basic breach notification use cases, HIBP delivers real value.
What HIBP was not designed to do: power a fraud decisioning model, feed an MDR detection stack, drive an identity theft monitoring product at scale, detect session hijacking via infostealer cookie harvesting, or provide the N-dimensional identity intelligence that enterprise security and fraud programs require.
2-Dimensional Credential Monitoring vs. N-Dimensional Identity Intelligence
This is the fundamental architectural difference between the two approaches.
Data Scale: Where HIBP Ends and Constella Begins
HIBP indexes carefully curated, high-profile breaches. Its 973 breaches represent the most widely publicized incidents — Adobe, LinkedIn, Yahoo, and similar. That curation is intentional and makes HIBP’s data trustworthy for what it covers.
The problem is what it doesn’t cover. Constella has indexed 23,500+ breaches — 49x more than HIBP. That gap is not noise. It is the long tail of smaller breaches, regional incidents, dark web dumps, combo lists, and the thousands of lower-profile exposures that don’t make headlines but do compromise real identities. HIBP covers approximately 2% of Constella’s total breach volume.
A practical consequence: between 2021 and 2025, Constella ingested approximately 11.5x more records than HIBP — roughly 62 billion more records over the same five-year period. In 2025 alone, Constella processed approximately 19 billion more records than HIBP and 81x more breach events.
Constella already covers approximately 82% of all breaches included in HIBP. The inverse is not true: HIBP covers less than 2% of Constella’s breach library.
This matters operationally. When your fraud model, your identity monitoring product, or your MDR stack queries for a compromised identity and gets no match, the question becomes: is this person truly clean, or did the query not reach far enough?
The Infostealer Gap: What HIBP Cannot See
This is not a scale difference. It is a capability gap.
HIBP does not index infostealer data. Infostealers — Lumma Stealer, RedLine, Vidar, Raccoon, Stealc, and dozens of other active malware families — are the dominant attack vector in 2025 and 2026. They harvest active session cookies, VPN credentials, browser-saved passwords, SSH keys, cryptocurrency wallets, and device metadata from infected devices, and transmit that data to criminal markets within hours of infection.
The reason infostealers matter to security programs is not just the credential harvest. It is the session cookie. A stolen session cookie from a Microsoft Entra ID authentication bypasses MFA entirely because the session was already authenticated. Attackers replay the cookie, not the credential. HIBP has no visibility into this attack chain at any stage.
Constella processed 51.7 million infostealer packages in 2025 — a 72% year-over-year increase. Each package contains structured telemetry: the specific URLs where sessions were captured, the device hardware ID, the malware strain responsible, and the recency of the log. This is the intelligence that enables a security team to act before the stolen session is replayed.
- HIBP infostealer packages indexed in 2025: 0
- Constella infostealer packages processed in 2025: 51.7 million
- Constella alert window: hours from infection to marketplace detection
- HIBP alert window for infostealer threats: no capability
API Capability Comparison
| Capability | Constella | Have I Been Pwned |
|---|---|---|
|
Search API (breach by email) |
Yes |
Yes |
|
Monitoring API (real-time alerts) |
Yes |
Yes (domain-level, paid) |
|
Catalog API (breach metadata) |
Yes |
Yes |
|
ATO / Password exposure API |
Yes |
Yes (Pwned Passwords) |
|
Paste / dark web API |
Yes |
Yes |
|
Infostealer / session cookie API |
Yes |
No |
|
Score API (Identity Exposure Score) |
Yes |
No |
|
Surface / domain intelligence API |
Yes |
Limited (domain search) |
|
Business / domain-level inputs |
Yes |
Yes (paid tier) |
|
38+ PII attribute inputs |
Yes |
No (email and domain only) |
|
Full hashed data pipeline (100%) |
Yes |
Partial (passwords only) |
|
Policy-driven alert configuration |
Yes |
No |
|
Identity Exposure Score per record |
Yes |
No |
|
Breach type and classification |
Yes |
No |
|
Actionable recommendations per alert |
Yes |
No |
|
Multi-language alert delivery (50+) |
Yes |
No |
|
EU data center available |
Yes |
No |
|
Sub-200ms API latency |
Yes |
Rate-limited by plan tier |
|
SLA-backed enterprise support |
Yes |
Community / documentation |
Inputs and Outputs: What You Can Query, What You Get Back
Data Verification: Basic vs. Comprehensive
HIBP applies a four-point verification check to breaches it accepts: public acknowledgment of the breach, a structure consistent with the claimed source, evidence of the attacker and their track record, and basic data integrity. This is honest, reasonable verification for a publicly accessible service.
Constella’s verification pipeline applies 25+ automated checks to every ingested dataset, including source authentication, structural and linguistic integrity analysis, deduplication against the existing data lake, entity resolution across multiple identity attributes, legal liability evaluation, and data pedigree tracing. Every record in Constella’s lake is traceable to a confirmed breach or exposure event.
This matters for alert quality. Higher verification standards mean lower false positive rates, which means your fraud model, your SOC alert queue, and your identity monitoring customers receive signals that are both accurate and actionable.
One measurable consequence: in comparative testing using the same provisioned data, Constella-only breaches produced approximately a 50% unique hit rate, while breaches that appeared in both HIBP and Constella produced approximately a 30% hit rate. The Constella-exclusive breach coverage — the breaches HIBP has not indexed — delivers meaningfully higher match rates against real exposed identity populations.
OEM and Partner Integration: Customization HIBP Cannot Offer
If you are building an identity theft monitoring product, a fraud decisioning service, an MDR offering, or any platform that requires identity intelligence as a component, HIBP’s API provides a fixed output: breach metadata and a binary match signal.
Constella’s API is built for integration at the product level. This includes:
- Custom alert policy configuration: define your own alert descriptions, confidence thresholds, breach type filters, and delivery formats for each customer or product line
- Multi-language alert delivery: alerts generated in 30+ languages for international consumer monitoring products
- Identity Exposure Score: a proprietary risk score attached to each alert that enables your system to prioritize and filter without building scoring logic internally
- 100% hashed data pipeline: operate without any plaintext identity data touching your infrastructure, satisfying GDPR, CCPA, and equivalent data protection requirements out of the box
- Monitoring API: continuous background monitoring with webhook or batch alert delivery, not just query-response
- Catalog API: programmatic access to breach metadata for building breach disclosure workflows
- SLA-backed support with dedicated account management for enterprise and OEM partners
The Constella API was purpose-built for OEM integration. HIBP’s API was built for direct access. The architectural difference becomes visible at scale.
Who Each Solution Is Right For
FAQ: Deep Dives into Methodology
Constella already covers approximately 82% of the breaches in HIBP’s index. The remaining roughly 18% consists primarily of exclusive, selectively shared datasets — often partial email-only disclosures used by threat actors to establish credibility, or researcher-published notices. Constella covers these selectively based on signal quality and attribution confidence. HIBP covers less than 2% of Constella’s total breach library.
No. HIBP does not index infostealer packages. This is a capability gap, not a scale gap. Infostealer data — session cookies, VPN credentials, device metadata, targeted application URLs — represents the primary attack vector for ransomware initial access and MFA bypass in 2025 and 2026. Constella processed 51.7 million infostealer packages in 2025.
Yes. Constella’s API is designed to be additive. Many organizations start with HIBP for basic breach notification and layer Constella’s API on top for infostealer detection, the additional 18x breach coverage that HIBP does not provide, N-dimensional identity attribute matching, and the monitoring and scoring capabilities HIBP’s API does not offer.
Constella supports 100% hashed data operations across the full query and alert pipeline. No plaintext identity data needs to transit your infrastructure. This satisfies GDPR, CCPA, and equivalent data protection frameworks by design. Constella also maintains an EU data center for organizations with data residency requirements. HIBP supports hashed queries for passwords via k-anonymity but does not offer full hashed pipeline operation.
The Identity Exposure Score is a proprietary risk metric Constella attaches to each identity alert that quantifies the severity and sensitivity of an exposure based on the breach source, data types exposed, infostealer involvement, freshness of the data, and other weighted factors. It enables downstream systems to prioritize alerts, trigger different response workflows, and avoid treating a partial email exposure from 2018 the same as a fresh infostealer log containing active session cookies.
Constella’s breach ingestion scales to 30,000 breach events per week and processes infostealer packages as they appear on monitored criminal markets. In documented cases, infostealer log detection has occurred within hours of infection — enabling credential rotation and session invalidation before the stolen data can be used for account takeover or ransomware staging.
See the Difference in Your Environment
The best way to understand the gap between credential monitoring and identity intelligence is to run both against your own domain or customer population. Contact us to discuss a proof of value against your actual use case.