1,000 Breaches In, and Companies Are Taking Longer Than Ever to Tell You

Have I Been Pwned just ingested its 1,000th data breach. Troy Hunt marked the milestone not with celebration, but with a pointed question: after 12.5 years and the passage of GDPR, CCPA, and a parade of other privacy regulations, why is the service still so necessary? His answer is uncomfortable: disclosure timelines are getting longer, not shorter, and the downstream consequences for anyone who builds on third-party services are quietly getting worse.

The Numbers Behind the Pattern

Hunt is upfront that the evidence is anecdotal — he says there are no hard aggregate statistics to cite — but the case studies are hard to argue with.

In April 2026, ShinyHunters ran a classic "pay or leak" extortion against Carnival Corporation. On April 24th, 8.7 million records (7.5 million email addresses plus loyalty program data) were published to the group's clear-web site, reposted to hacking forums, and spread across Telegram channels. HIBP picked it up the same day. Carnival acknowledged the breach on May 27th — 43 days after the company's own press release says it learned of the incident. During that window, users querying Carnival directly were still being told there was no breach.

A few days later: Zara. Also ShinyHunters, 197k unique email addresses plus customer support records. Disclosure lag: 45 days. Both datasets were already broadly indexed in HIBP and circulating in the wild long before any official notification reached affected users.

Why Orgs Are Waiting — and It's Not What They Say

The official justification for delay is usually some variant of "we needed to complete a thorough analysis of impacted data." Hunt doesn't buy it, at least not as a complete explanation. Extracting email addresses and sending an early heads-up is operationally trivial; he's done it a thousand times. The full forensic picture — precise data fields exposed, jurisdiction of each user, everything buried in terabytes of exfiltrated files — takes time, but that complexity doesn't preclude an early partial notification.

His working theory points at class-action litigation. A quick search for any high-profile breach now surfaces law firm advertisements before it surfaces technical details. Hunt has been raising this concern for years and says it's worse than he's ever seen. The ZenBusiness breach response, surfaced by security professional Roby Joyce after he learned of his own exposure via HIBP, spells out the posture explicitly:

"If we determine that an incident resulted in the exposure of your protected PII, we will provide notice as legally required."

Joyce's read — and Hunt's — is blunt: "That is not a customer-protection posture. That is a litigation posture." Disclosure timing is being optimised for shareholder liability management, not user safety.

Hunt also raises the possibility that for some breaches, disclosure lag may be effectively infinite — organisations that simply never notify unless legally compelled to do so in a jurisdiction with teeth.

What This Means If You're Building on Third-Party Services

For developers this isn't just a privacy-regulation story. Consider the practical blast radius:

• API credentials and OAuth tokens stored by a breached SaaS provider are compromised the moment attackers exfiltrate data — not the moment the vendor issues a notice. A 45-day gap is 45 days of unrotated keys.
• Dependency supply chains increasingly route through identity providers, package registries, and CI/CD platforms that hold credentials on your behalf. If one of those services is quietly breached and slow to disclose, your threat model has a hole you can't see.
• Incident response playbooks that rely on vendor notification as the trigger for credential rotation are structurally broken. HIBP, threat-intel feeds, and dark-web monitoring now routinely surface breach data weeks before formal disclosures arrive.
• Third-party risk assessments need to account for disclosure lag as a variable, not assume timely notification.

The practical countermeasure isn't elegant: don't wait for vendors to tell you. Short credential TTLs, automated rotation, and active monitoring of breach-intel sources (HIBP has an API) give you a fighting chance when the official notice is six weeks behind reality. Regulations haven't closed the gap. Process discipline is the only hedge you actually control.