I presume they keep a table mapping email addresses to breaches and that's it.

cyberlab · on April 5, 2021

Yes but how is it legal to have multiple corpuses sitting on a gigantic server? Surely governments or even a LEA would want to regulate that? Having all that PII is like hoarding a bunch of radioactive waste.

wan23 · on April 5, 2021

They don't need to keep the data around longer than it takes to extract the affected email addresses, and that doesn't need to be done on a server at all.