I recently was emailed from HaveIBeenPwned.com (which I am signed up on) about the ShareThis website/tool (not signed up on).
I have no memory of signing up for that service.
When I go to recover the account (I might as well close/change password), I get this:
The two facts seem mutually exclusive:
Either I had an account and it was pwned, or I didn't have an account (and thus HIBP is in error)?
How do I find out the true situation, and what is the most secure course of action?
From the FAQ:
Why do I see my email address as breached on a service I never signed up to?
When you search for an email address, you may see that address appear against breaches of sites you don't recall ever signing up to. There are many possible reasons for this including your data having been acquired by another service, the service rebranding itself as something else or someone else signing you up. For a more comprehensive overview, see Why am I in a data breach for a site I never signed up to?
It's likely some services allow signing up without confirming an email address, or that accounts that haven't confirmed email addresses are still stored indefinitely but cannot be logged in to, or any number of similar issues.
Adding on to what AndrolGenhald said, they have deactivated all accounts associated with the breach so theres a good chance it won't show up regardless:
ShareThis has already deactivated the ShareThis accounts potentially associated with this incident, so if you created an account prior to January 2017, you may no longer be able to log in.
A bit late to this thread, but I just got an alert through my credit card about the sharethis breach. I never signed up for sharethis, but a quick search through my old emails found a couple of cases of people using the service to share an article with me. So I'm guessing that the database of email addresses of people on the receiving end of the service were also exposed.. which would explain why there was no hashed password leak associated with my address.
While other contributors have responded with some great answers, I'll focus on the last part of your question:
How do I find out the true situation, and what is the most secure course of action?
Troy Hunt, a prominent security researcher launched HIBP with a purpose in mind to aggregate all leaked databases into a web app where users can search for their compromised email addresses.
What he started has come a long way and now there are many other websites they not only offer email searching but allows anyone to download the complete leaked dataset for free.
I know the following three that where you can download the complete dump files and to get to the source of truth, instead of relying on HIBP alone that doesn't offer much info due to privacy laws and stuff:
As much as all of the theories are tangible, the biggest possibility is that the creator of the website is having a data issue, website X is meant to have ID X however has ID Y and thus is displaying data from ID Y. Why would anybody be signing up for services they won't be able to use with an email they cannot use either, they could just use random strings if it was a brute force attack.
Thus you've been been 'pwned' just not on the website it is incorrectly displaying.
I think this is the most probable cause.
