myNetWatchman vs. HaveIBeenPwned
There's a significant difference between knowing a credential was stolen and knowing it's being used right now.
Feature Comparison
| What you need to do | myNetWatchman | HaveIBeenPwned |
|---|---|---|
| Stop an account takeover attempt at the moment of login | Inline Credential Screening API fires at login, matches the full credential pair, and returns a block or step-up signal in milliseconds | Not designed for this — HIBP is a consumer self-lookup tool with no inline auth integration |
| Only flag users whose current credential pair is actually at risk | Screens email + password together — no false alerts from old breaches or reused-but-changed passwords | Checks email and password independently — flags may fire even after a user has already reset their password |
| Know a credential is dangerous because a fraudster used it recently — not just because it appeared in a breach | Captures 15M+ credentials/day from live criminal activity — data is ~4 minutes fresh from active use | Dataset reflects historical breaches ingested after public disclosure — often months or years behind active criminal use |
| Protect users at signup before any fraud attempt occurs | Screens credential pair at registration; Email Reputation API adds risk scoring on the email address itself | No signup integration — HIBP requires users to manually check their own credentials |
| Meet NIST SP 800-63B requirements for compromised credential screening | Purpose-built for inline pair-level checks at signup and password reset — the exact use case NIST SP 800-63B requires | Pwned Passwords list is sometimes cited for NIST compliance, but checks are not pair-level or performed in real time |
| Get actionable risk signals your system can act on automatically | Returns risk context to drive policy decisions: force reset, trigger step-up MFA, or block the attempt entirely | Returns a found/not-found binary flag — no risk scoring, no policy integration, no automated response path |
| Scale to millions of authentication events per day without rate limits | Enterprise API built for high-volume, low-latency production traffic across your full user base | Offers API and business plans, but built primarily as a lookup service rather than an inline authentication protection layer |
| Monitor your entire user base continuously for emerging threats | ATO Threat Monitoring watchlist covers all users and alerts when credentials surface in live attack data | No ongoing monitoring — users must check themselves; no alerting or watchlist capability |
| Identify if an email address itself is under active criminal control | Email Reputation API returns fraud signals tied to the email account — beyond just password exposure | Not available — checks only whether the address appeared in a breach dataset |
HaveIBeenPwned (HIBP) is a well-known public service, and Troy Hunt deserves credit for building broad awareness of credential breaches. But awareness isn’t protection — and the gap between what HIBP offers and what myNetWatchman delivers is the gap between a smoke detector and a sprinkler system.
The lookup problem. HIBP is built for individuals looking themselves up. You enter an email address, and it tells you if that address appeared in a known breach. Enter a password separately, and it tells you if that exact string showed up somewhere. But those are two independent checks. HIBP can’t tell you whether your email and your password — the actual credential pair a criminal would use — have been seen together in the wild. That design constraint means a significantly higher rate of false positives. myNetWatchman screens the pair — username and password together — against 44B+ compromised credential pairs, so a match actually means something.
The freshness problem. HIBP ingests breach data as it becomes publicly available — which typically means weeks, months, or even years after credentials were first compromised and actively in circulation. By the time data lands on HIBP, fraudsters have already been monetizing it. myNetWatchman operates live surveillance infrastructure, observing over 15 million credentials per day as bad actors use them in real time. The intelligence isn’t historical. It’s happening now.
The insight problem. HIBP can tell you a credential appeared in a breach dataset. That’s it. myNetWatchman can tell you that a fraudster used that credential pair — actively, on another site — within the past minutes. “This password appeared in a breach dump” is a very different signal than “a criminal tested this exact login 4 minutes ago.”
The integration problem. HIBP offers API access and business plans, and it’s genuinely useful for security awareness programs and NIST compliance checks. But it’s architected as a lookup service, not an inline fraud prevention platform. myNetWatchman’s Credential Screening integrates directly into your credential lifecycle — signup, reset, login — fires an API call in milliseconds, and returns an actionable risk signal: force a password reset, trigger step-up auth, or block the attempt entirely. The difference isn’t availability, it’s purpose-fit.
Where the gap is largest
Live Data vs. Breach Dumps
myNetWatchman captures 15M+ credentials per day as fraudsters actively use them. HIBP ingests breach data only after it becomes publicly available — often months or years after the damage is done.
Credential Pairs vs. Isolated Lookups
HIBP checks email OR password separately, causing false positives for credentials that are no longer at risk. myNetWatchman screens the full username + password pair — the same way an attacker would use them.
Real-Time Protection vs. Lookup Service
Credential Screening integrates into your login, signup, and reset flows and returns a risk signal in milliseconds. HIBP offers API access and business plans, but its architecture is built around consumer-style lookups — not inline fraud prevention at authentication scale.
A top 5 streaming service reduced ATO from an average of 3,000 accounts per day to 4 accounts per day.
— myNetWatchman Customer
Ready to see real-time intelligence in action?
Request a 30-minute demo and we'll show you live data on your domain.