The Unreasonable Benefits of Using for eCommerce Merchants is a service that allows people to find out if their information has been exposed in a data breach. They can see if their personal data has been “pwned” or not.

Troy Hunt^, a fellow Australian, created a website to help users discover if their email address, passwords, or other personally identifiable information have been exposed in a data breach. The website also provides details about historical data breaches and offers advice on how to better secure online accounts.

^Troy has purchased from one of our ecommerce stores, but has no idea we’re writing this post.

What does it mean when a customer’s email address appears on

69.8% of our customers have had their data appear in a breach! can reveal the relative age of an email address (by virtue of appearing in their database), which can be helpful in reducing the risk of fraudulent orders by establishing that the age of an email address. I.e. it is not a newly created email address for the purposes of scamming your business. This can be useful in protecting against fraud by showing that the email address is not newly created. Don’t worry if a customer’s data appears in a breach - our measurements have shown that 69.8% of our customers have had their data appear in a breach.

How do we use the information?

In our ecommerce platform (which we’re making available to other ecommerce merchants), we indicate to our staff whether an email account has appeared in a data breach. If it has appeared, we show a little check mark next to their email address.

How can I use the data in ?

HaveIBeenPwned have an API that allows the list of pwned accounts (email addresses and usernames) to be quickly searched via a RESTful service.

Using the API is pretty easy. We use a Rails Job to check our customers, and it looks something like this:

# Our customer model has the attributes
# pwned (boolean) [default false] - has the customer been pwned?
# pwned_check (boolean) [default false] - have we checked the customer?
# haveibeenpwned (jsonb) - a field to save data from about the breaches

# The URL of the API
url = "{}"

# HTTP Headers required for the HaveIBeenPwned Service
headers = {
  'hibp-api-key': MY_API_KEY_HERE,
  'user-agent': 'my-script-name'

# Fetch the data from HaveIBeenPwned
response = HTTParty.get url, headers: headers

# If the body is blank, the email address hasn't appeared in a databreach known to HaveIBeenPwned

if response.body.present?
  # If there is a JSON response, convert it into a Ruby object
  pwnage = JSON.parse response.body

  # Save the data back to the customer model
  customer.haveibeenpwned = pwnage

  # Mark the customer as having been in a breach
  customer.pwned = true

# Mark the customer as having been checked.
customer.pwned_check = true

# Save the customer details back to the database

Conclusion is a great service that allows users to quickly search for their personal data in a data breach. It can indicate the relative age of an email address, which can be beneficial in reducing the risk of fraud, and it also has an API that allows the list of pwned accounts to be quickly searched. Knowing if your data has been exposed can help you better secure your online accounts and protect yourself from identity theft.

Let us know what you think in the comments below!