Troy Hunt's data breach tracker now counts 1,000 documented incidents. But instead of improving, the disclosure lag — the time between a breach happening and the public finding out — has gotten worse. That's bad news for crypto exchanges, which rely on user trust and fast credential rotation to keep funds safe.
What the numbers say
Hunt, who runs the website Have I Been Pwned, published the findings in a post titled '1k Data Breaches Later, the Disclosure Lag Is Worse'. The trend is clear: companies are taking longer to report breaches, even as the total number of incidents grows. For the average user, that means stolen passwords sit in the dark for weeks or months before anyone knows to change them.
📊 Market Data Snapshot
Why crypto should pay attention
Crypto exchanges are prime targets for credential stuffing — attackers use leaked email-password combos to log in and drain accounts. A longer disclosure lag gives hackers more time to exploit those credentials before platforms force password resets or notify users. Every hour a breach stays hidden, the window for theft widens. That's a direct threat to any exchange that still relies on email-and-password logins.
The contrarian view: a 'fear debt' building
Most coverage frames this as a transparency issue. But there's a darker angle: the worsening lag hides bad news. If known breaches are being reported late, the market is operating on incomplete information. That creates an information asymmetry — hackers and insiders can trade on impending revelations before the public catches on. When the lag eventually shortens — either voluntarily or because regulators force it — a backlog of belated disclosures could hit all at once, triggering a sharp sell-off in tokens tied to affected platforms. Think of it as a 'fear debt' that compounds with each unreported incident.
Regulatory pressure building
Right now, regulators in the EU and US are circling stablecoins and custodial services. If they perceive that crypto platforms are hiding breaches, they'll push for real-time reporting mandates. That compliance burden hits smaller exchanges hardest, potentially concentrating custody in a few compliant giants — a move that undermines crypto's whole decentralization pitch. The clock is ticking for exchanges to get ahead of disclosure transparency before the rules arrive.
No one expects a specific hack to trigger immediate panic today. But the cumulative effect of worsening disclosure — slower trust erosion, hidden credential exposure, asymmetric information — is a slow burn that could flare up without warning. The next big exchange to disclose a months-old breach will test how much the market really discounts this lag.
