General
118 results found
-
Breach and the accounts on your domains through API
When there is a breach we get an email with the number of accounts for ur domains, then I can use the API to get the breacheddomain. But then I get alle the breaches for that domain, and I want to get only a specifiek breach. So you can search on domein and breach and then get the accounts regarding this.
6 votes -
Add payment methods to allow payment by invoice / purchase order
Some businesses do not allow purchase by card
2 votes -
Add a "Get all pastes for a domain" API endpoint
Currently, HIBP offers a "Get all breached email addresses for a domain" API endpoint and a "Get all pastes for an account" endpoint, but no endpoint exists to search for all pastes for a domain.
The domain search API endpoint is incredibly efficient (especially for enterprise customers), but it does not return known pastes for each account. This can be very painful for multiple reasons (not limited to):
1.) Just because an account has NOT been seen in a third-party breach tracked by HIBP does NOT mean it hasn't been seen in a paste. This means we are seeing an…
8 votes -
Add Telegram Bot
Add a official Telegram Bot to receive updates directly from Telegram about phone numbers (actually not present) and emails that are leaked.
4 votes -
I don't know how to 'search sensitive breaches'. I am subscribed. I'm talking about the option listed underneath search results
So, 1- I got a notification from MyIDCare recently about a breach found Dec 16, 2023. Usually I get a 'pwned' notice as well, but this time I didn't. Just fyi.
2- When I searched my email pwned gave me the results, and underneath there was an option to 'subscribe to search sensitive breaches'. I am subscribed. I looked around for a search breaches option, but I don't see anything. I assume this is a different function that the main 'search my email' function on the home page. Because you don't need to be subscribed to do that. I assumed…
1 vote -
Domain Search Spam Filtering or Sorting
After running a domain search there is some instances that you have a small number of "Addresses Excluding Spam" and a very high number of "All Breached Addresses".
It would be super useful to be able to sort by Spam or Excluding Spam Addresses.
Maybe a dropdown or a tickbox to be able to filter out the spam breached addresses.6 votes -
Add an API to get the most recent breach date by account/email
On my website, I'd like to detect if the user's password has been recently breached so I can ask them to reset their password. It would be easy if there is an endpoint that given an account/email returns a single timestamp or breached date of the most recent breach if there is one.
With the current API, the only way to achieve this is to use the v3 breachedaccount API with the option truncateResponse set to false. The untruncated response body of the endpoint is quite large. On top of that, I'd have to deserialize the response to JSON then…
11 votes -
Developer mailinglist to notify of API changes
As a developer & maintainer of a HIBP package / library, keeping it up to date currently requires constantly checking the API documentation in its entirety to discover any changes. This isn't always obvious and inefficient.
I would like to see either a mailing list that developers can subscribe to, or some other kind of notification (at minimal, at least a public changelog that can be read, but preferably something that would alert to the fact that changes have been made) that can be easily parsed to determine:
- If there have been any changes to the API
- What those changes…
4 votes -
Support for more verification options on unicode domains
I own an emoji unicode domain, https://⚪🐯.ws. While I can start the verification process, I'm not able to complete verification via email as every email is considered disallowed. DNS TXT verification results in "Catastrophic failure!" (500), as does meta tag validation. File upload results in "No response from domain".
Interestingly, converting it to Punycode (https://xn--f8h8099n.ws) also doesn't work.
Edit: Apologies, the TXT record method works when the domain is converted to unicode. I don't believe anything else does though!
1 vote -
Add simple breakdown to search results (passwords and hashes or not, etc)
For the initial "Have I Been Pwned" lookup, a summary of the types of results would help users better understand the associated risk.
So this:
"Oh no, pwned in 20 breaches"
... could be expanded to something like:
"Oh no, pwned in 20 breaches:
7/20 leaks included password or password hashes
13/20 do NOT have passwords - just contact and similar metadata"
... etc
This could be styled nicely however it makes sense - in a table, pie chart, etc. And it could be expanded later to include whatever level of detail makes sense - maybe strong/slow hashes vs weak/fast…
16 votes -
excel sheet with all sites breaches with headers
Breach, Compromised Data, Date of Compromise etc., this was already contained in the site https://haveibeenpwned.com/PwnedWebsites
I'm just requesting you to provide the same in excel format.11 votes -
Opt-in again after opting-out
I know that these suggestions have appeared many, many, many times.
While it is currently possible to change your mind to another of the three points after you opt-out, it would be more useful and right to add the option to opt-in back. At least for new breaches.
One of the reasons is that 1Password Watchtower simply stops working for email searches.
12 votes -
Change the DNS validation for domain search a bit
Right now, I've added a verification TXT record to my zone apex (root). This clutters a bit, as every other site also has their records there. I want to know if I can remove the record, but I couldn't find this in any docs.
If possible, move the record to a subdomain to avoid cluttering the zone apex. This could be a random subdomain to avoid any cases where a malicious user might control the delegation of a subdomain. Maybe the subdomain is the validation (like
d234fghde34.mydomain.comwith a TXT record saying "yes")Alternatively, allow me to remove the record…
3 votes -
Alert when a new version of the file is uploaded
I would like to receive an alert when a new version of the file is uploaded
2 votes -
Add metadata to describe how password is stored
People should have awareness about proper security of websites
Original title: List websites that do not hash passwords, but rather encrypt or store plain text such as einforma.com edpnet.be
1 vote -
correct PW info ?
I checked my new long & unique 13 character PW.. got the response of Not Pwned... but also: 'Oh NO this PW has been seen before in a breach'... so which is it?
I made up 2 more long & unique PWs to test this and still got the same results. How can a previously non-existent just-made-up PW show in a breach !
I truly appreciate the work your site does, but how can a PW be both safe and compromised at the same time !1 vote -
Stop address reuse. Set up a btcpayserver for bitcoin donations instead
I love your site. But for someone giving advice to not reuse passwords, its ironical that you have a static bitcoin address for donations. (FYI: I already donated, and I'll gladly do it again. This is just a tip)
"Address reuse" in bitcoin is problematic as it ties together funds in a way that reduces privacy and security for all involved parties.
Rather, each transaction should always be made to its own address. All modern wallets support this concept. Check out https://btcpayserver.org/ for a free, self-hosted, open source payment processor that is aligned with Bitcoin's (and your own) values of…
1 vote -
Sort breaches by date
This is mostly useful for those of us who like to check for new leaks involving our email addresses every few months. Currently one has to read through the whole list of results since they're in a seemingly arbitrary order, including those one has already changed the relevant passwords for.
38 votes -
Make a section on what to do if you have been pawned.
So, Iv'e been pawned? What's next? What do I need to do? How can I fix this issue or protect myself from this happening again? You talk about being pawned but I don't see anything in simple English on the next steps besides using your password generator which I have been using for years but still got pawned.
23 votes -
Add an Ethereum / Bitcoin SV / credit card / other for donations
Add an Ethereum address for donations and convert all existing Bitcoin donations to renBTC (there's more Bitcoin in the Ethereum network than on the lightning network) via bridge.renproject.io and exchange renBTC for Ethereum via 1inch.eth.link (1inch exchange).
13 votes
- Don't see your idea?