Hello, I use Github only occasionally to write issues and the like. I have just heard about the partnership between Github and HaveIBeenPwned. HaveIBeenPwned has been known to me for a long time, and not positive.
What is Github doing with HaveIBeenPwned? Github promises that it can only see the passwords of the users hashed. With HaveIBeenPwned Github cracks the passwords of the users. OK, not all, but all that exists in any of the lists provided by HaveIBeenPwned. 517 million records.
The problem: Github does not crack the passwords of users in connection with the email addresses, as they are in the lists of HaveIBeenPwned. Github cracks the passwords of the user independently of the email addresses.
How it works? The hashed passwords in the HaveIBeenPwned lists are hopped using the same hash method as Gashub hashed. Then the hashed passwords are compared and if there is a hit, the unashashed password is assigned to the Github account. Hereby just independent of the email address and possible a new email address. HaveIBeenPwned thus extends its offer.
HaveIBeenPwned made the breakthrough. With HaveIBeenPwned, however, quite different things are possible / on the run.
I trust HaveIBeenPwned ZERO! (my experience and reasonable sense). And that should be any reasonable internet user.