As someone who subscribes to HIBP, thanks for running these kind of verification instead of just trying logins. I found the "profile" of the email/TLDs/passwords very interesting, I wonder if some correlation algorithm could be build to statistically determine if a certain sample is indeed representative/coherent with the expected distribution of passwords/emails.
The main issue isn't the gmail or what not has been breached. It's that lots of users tend to reuse passwords. So...once they know you signed up using foo@gmail.com to service Alpha (and they have that password)..then they start trying all of the common services to see where else foo@gmail.com might have used that password or a slight variant (dropbox, etc.)
Troy Hunt is well know in InfoSec circles. step-2) people come to you. I guess in a nutshell this started it for him but now he receives lots of new media attention because of what he did with https://haveibeenpwned.com/ ...
Other than that you could get them on the darknet. That said any respected security researcher usually would never pay for stolen booty. (paradoxically the definition of respect here seems currently disputed, because sadly, we're living in an era where governments use tax revenues to buy exploits either directly or via proxy over the darkweb to infect and spy on their citizens system)
That was an awesome insight, thanks. I guess that fakers in the future will leave out Mailinator addresses... But that leaves still plenty of room for the other methods.
