Troy has covered this several times, but some sites, even showing in the PwnedWebsites list, are not viewable until/unless you confirm control of the email address or Domain.

e: To be clear, the Ashley Madison, and Adult Friend Finder (both breaches) are denoted on the list as not being publicly searchable.

I just checked myself and thankfully I've apparently only been in a few breaches, but of the ones listed, I only knowingly had accounts on LinkedIn and Dropbox. Nothing embarrassing because I'm smart enough to use burner accounts for embarrassing stuff, but I only even recognize last.fm and LuminPDF as services. I'm surprised last.fm still exists. I guess I might have signed up for it at some point and forgotten.

My phone number isn't in here anywhere, so lucky me, but it doesn't make a difference. The State of Texas finally forced me to get a Texas driver's license in order to continue being able to vote, and the State of Texas sells your address and phone number to marketers once they have it, so my number is trash now anyway. 99 out of 100 texts and calls are either politicians or people claiming to want to buy one of my houses. I basically no longer use a phone except when my dad calls.

I guess the plus side there is I'm somewhat immune from whatever location tracking can't be disabled since I don't even take my phone with me most of the time when I go anywhere, but that was an old habit from when I worked in a SCIF and couldn't bring a phone with me anyway.

I did a lot of searching through the Ashley Madison dump back when it came out. It was pretty easy to find people living on my neighborhood that had accounts. They might not have done anything (it was just billing details after all) but any of that information could have easily been used to blackmail someone. There were also a whole bunch of people using .gov or .mil email addresses. Like if you are going to cheat on your wife, don't make it that easy for someone to realize that you can be exploited for government secrets.

It's set up so that you have to prove you own the email address before knowing if you're included in "sensitive" breaches.

Funny that I never thought about this.

Now I'm wondering how this actually plays with legislation such as CCPA or GDPR, as it is quite revealing even without the more delicate sites mentioned here.