General

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Explicitly state the email address that the notification is referring to.

    If you're forwarding emails from a bunch of other addresses it can be awkward to work out which address is involved in the breach. Explicitly stating the email address in the notification would make this easier.

    1 vote
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
    • Notify email owner privately to limit malicious intents

      I like the fact that I get to know if my email is pwned in any of the latest breaches (so opting out is not really an option), but I can see a malicious intent here as well.

      Say a hacker needs to get access to my email account, then the first thing to try is your service to know if my password exists in any of the known breaches, even though I might change it but some users won't or it may be easily guessable.

      My idea is, when the user enters their email address, send the results by…

      18 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
      • Domain wide search results - Refined export of data

        It would be great to refine the export data for domain wide searches.

        Something i would like to do is notify the users of new breaches. If i run the report periodically, i can easily compare the results and for any differences script a personalised mailout informing my users of such exploit.

        Cheers,
        Ivan

        6 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          1 comment  ·  Admin →
        • Include email address in email correspondance when registering

          I have registered several email addresses that I own and that results in a registration email and summary page for each one.

          It's not possible to see in the email body, or on the summary page, which email address they belong to. This is especially tricky with my Exchange inbox which has several email aliases.

          9 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
          • Domain name opt-out support

            The opt-out form is only available for email addresses.
            Please add support for full domain opt-out.

            1 vote
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
            • Fix captcha puzzle for IE11 users

              Currently the buttons at the bottom of the "check all images that have XXX" popup don't work on IE11. Can't Verify, refresh, get help, etc. Makes notifications impossible if the puzzle appears.

              1 vote
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
              • Add a "Suspended" account button

                I have been reported on 3 accounts that Tumblr accounts have been breached, one of them was in fact suspended for unknown reasons.

                3 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                • CSO need terms to be able to use HIBP in their company.

                  We have integrated HIBP api in some of our security tools in our company in order to estimate the probability of one of our client getting hacked if his email appears in many breaches.

                  We beta tested it, but our legal staff pointed out that we needed terms on the website to be able to use it, as the fact you only tell that you don't collect and store email that are searched (we do trust you but legal team don't work on trust :p) is not enough.

                  we got in touch with the french "national comity for IT liberty"…

                  1 vote
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                  • Whitelisting to filter out notification on addresses appearing in most notifications

                    For large companies monitoring their appearances in notifications there are public addresses (like (info|support|help|contact)@<domain> which will may mean a team receives notifications for most new breaches, but for often singular results of these 'public addresses' in breaches not of concern.

                    2 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                    • Search by phone number

                      It would be neat if you could test for pwned accounts searching by phone number. Some utility companies know my phone number but not my email.

                      38 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        1 comment  ·  Admin →
                      • Few more detail on the breach needs to be included

                        Need few other details on the breaches that happened in the past. Its good we get the information details completely. The same is included in http://www.askmein.com/tools/have-i-been-pwned

                        3 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          1 comment  ·  Admin →
                        • Allow root domain to verify subdomains

                          This idea can be broken down into two seperate ideas, I'd be happy with either.

                          1. When registering to monitor a domain that is a subdomain of another, for example subdomain.domain.com, the verifcation email should be able to be sent to postmaster@domain.com.

                          2. Allow an option to monitor a domain and all subdomains.

                          32 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                          • Closed EMail Accounts

                            Would it be possible to Register for HIBP EMail Notification via another designated EMail Address provided, to which the HIBP Notification could be "forwarded" ? ie.: Confirmed and Secure Registration under a designated EMail Address, for one or more 'Closed' EMail Addresses ?

                            22 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              1 comment  ·  Admin →
                            • Have a page with mitigation directions for the technically challenged.

                              For those of us who are technically challenged, directions on how to mitigate any damage if found to have been breached. For example, my husband and I found that our Adobe accounts were breached, but we do not know when he signed up as he does not have a computer and only created an email when he got a smart phone about 4 years ago. He has no idea of how he got signed up for Adobe. To be honest, I do not remember signing up or into that service either, although I do have it on my computers and…

                              3 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                              • Allow users to search for an email address by hash rather than sending the email to the API in cleartext.

                                Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.

                                21 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  1 comment  ·  Admin →
                                • Include credit cards as another search dimension

                                  As well as user accounts there seem to be a lot of credit cards being leaked. It would be interesting to add credit card numbers to the other search dimensions (username and email address).

                                  There are some security implications around uploading your credit card to hibp but hibp would not need to store it at all. One you had it hash it and also store the found numbers as a hash. It would then slide right into the existing partition/row key schema.

                                  If such a system could be implemented I would even consider it a service worth paying for. Perhaps…

                                  52 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                  • 27 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      1 comment  ·  Admin →
                                    • Add basic correlation logic to compare newly found pastes against current breaches...

                                      Some sort of fuzzy matching & correlation with already posted breaches to see if the paste is just another re-post of the data from another known breach.

                                      One way to do this is look for emails that have the + syntax, which typically means that the user has created a somewhat unique email for a particular service, company, etc

                                      3 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                      • Enabl API to be queried such that it returns only the breach name

                                        At present, searching the API returns all data about the breach including description and other meta data. For high volume API consumers, it would be preferable to return just the breach name. Meta data about the breach could then be retrieved in a single API query to the breach service. This would reduce the response size for each query by more than 90%.

                                        9 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          1 comment  ·  Admin →
                                        • Enable search and notifications for email addresses using the "+" syntax

                                          A lot of people use a syntax such as troyhunt+foo@hotmail.com where foo is a unique identifier for the site. They do this so that if they begin getting spammed, they can identify the source their email came from.

                                          At the moment, HIBP treats this is a totally unique email address so if I've search for the parent email address without the "+" syntax, it won't be found. This idea is to ensure that searches and notifications recognise the syntax and return addresses that are logically still the same account.

                                          One thing HIBP would also need to do is specify which…

                                          185 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                          ← Previous 1
                                          • Don't see your idea?

                                          General

                                          Feedback and Knowledge Base