General

  1. Allow User Submissions

    Please allow users to submit pwnd passwords.

    I just had Google notify me that someone tried to log in with my password from Java Indonesia, yet this password is not in the pwnd password list.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  2. More Info Needed

    A community board for questions.
    I'd like to know how my email was caught up in a breach on a website I never went to.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  3. I dont understand what to do

    Everyone is very excited about this site. But honestly I am confused. I've received a message about my primary email address many times. But there's absolutely no action I can take based on that. Yes, good password hygene, yes, dont reuse passwords. But that's generic advice that I get without needing to be notified. What is the increment of information I get by receiving your email? I think that there is none. Can you help me understand your value?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  4. Add searching by username

    If leaks contain usernames and passwords, wouldn't it be important to be able to find out if one of your usernames has been compromised? Or do emails always accompany the passwords?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Assuming you mean usernames that are user-chosen strings as opposed to email addresses, this functionality existed in HIBP for a while but was later deprecated. Usernames in this form are not uniquely identifiable, often don’t exist at all (email addresses are used instead) and most importantly, can’t easily be parsed out of a large dump with a regex like email addresses can be. So in summary, low value and high effort.

  5. don't log data that has been input via the website

    a few days after I tested several of my passwords, I started receiving emails from different websites, that someone was trying to log into my accounts. and these are accounts that I haven't used for several years...

    your pawny website is a a phishing scam and people should never ever use it!!!

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  6. Update your pwned list. My email has been pwned, but you do not know.

    I get email threats saying the email and password is compromised. They even list the password. But this email is not showing up in your list.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  7. I want to use my own Password-Creation 2

    I want to use my own Password-Creation (II) without your service 'Free for 30 days'.

    Thank you
    Gerd Taddicken

    Deutsch: Ich möchte mein eigenes Passwort kreieren, generieren ohne ihr System ,30 Tage frei für das Passwort-System'.

    TSA25Jan19, 18.38 h - Local time Germany)

    +++

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  8. I want to use my own Password-Creation

    Hello!

    I lerned only two years English 1965 til 1967
    (Ich lernte nur zwei Jahre englisch von 1965 bis 1967).

    Please translate 'pwned' in German - I cannot find in Google a german Word foŕ it (Bitte übersetzen Sie 'pwned' in deutsch - Bei Google finde ich keine Übersetzung für 'pwned').

    Normally I use 'Startpage' instead of 'Google' (Normalerweise benutze ich 'Startpage' statt Google).

    Thank You - Yours faithfully
    Gerd Taddicken - Germany

    TSA15Jan19, 18.34 h (UTC minus 1 hour?)

    +++

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  9. send part of password hash per mail

    since we have the recommendation of 'never entering a password on a website, unless it's the password field of the according website', i'd suggest to build an send by mail request form.

    if you enter your email, you can choose to get those first 5 chars of all pwned password hashes to the entered email.
    with this, you ensure, that only the pwned email addresses get their pwnge data... (which ofc won't help if the mail account itself has already been hijacked)

    this would help greatly, to check wich password may be leaked and need a change.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  10. You have been blocked from accessing this resource on Have I Been Pwned

    Today is the first time we have ever visited hibp. Clicking on the test http link we immediately received the blocked message shown in the title.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  11. Question: any way to opt-out a closed e-mail account address?

    I asked to opt-out an e-mail address, but since I closed the e-mail account (it's already a year since) I find difficulty in confirming the verification e-mail. Any alternative thing I can do to try to block the e-mail address from showing in this site? Thanks!

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    declined  ·  5 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  12. located source of a paste

    I was informed that my email was on a paste AE4dYZG1.txt 6 Jan 2019 involving 3091 accounts.
    The source of this breach is www.netpricedirect.co.uk.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  13. Provide database dump for hashes of email address for offline download

    This can be very useful for companies to verify if their users (non-staff) are affected by any breaches and inform them to not share password for different systems. I'm residing in EU, GDPR doesn't allow us to send email to your API to check if a particular email address appear in any breach.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    This would enable anyone to download everyone’s data. Hashes may be cracked which would allow for mass enumeration of emails in a breach. There is no provision in GDPR which prohibits an EU data subject from searching for their email address via the online service.

  14. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  15. Domain Verification - Not received after several tries.

    Verification token sent An email containing a verification token has been sent off to the address you chose, just copy................

    Kindly help for fix.

    For your note:

    1. Domain not blocked in mail server
    2. haveibeenpwned domain - whitelisted
    3. message header not found in mail server inbound logs

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  16. ... make it easy to see what data are associated with a breach for a given account.

    The mere fact of a breach means very little if the associated website or other details are not findable. (I have to admit I have no idea whether the API addresses this, but I have no idea how to use it anyway.)
    HPI gives heaps of info: Affected Service Date Verified Password First and last name Date of birth Address Telephone number Credit card Bank account details Social security number IP Address
    Am I missing something?
    This should be emailable to the account holder in the same way, I would have thought.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    12 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    There’s two important comments on this:

    Firstly, HIBP describes the data classes that were exposed. If it says “email addresses and phone numbers”, for example, then your email address and phone number were almost certainly in the breach. The vast majority of the time, this is the data you gave the website.

    More importantly though – and the reason for closing this as “declined” – is that it’s just too great a risk to store this information. Often the data is extremely personal and it was also often improperly secured in the first place. For example, plain text passwords, something I would never consider storing in my system.

    So in short, the risks are too great and the benefits are minor given it’s data you’ve normally already provided yourself anyway.

  17. Add Retry-After to Access-Control-Expose-Headers

    When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  18. API for recommending to allow/forbid a specific credential set.

    Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.

    The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  19. when I enter capital letter in domain name it is not working. Please make it case sensitive

    when I enter capital letter in domain name it is not working. Please make it case sensitive

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  20. Mark ArmorGames as confirmed pwned

    I use unique email address per subscriber, and I suddenly started receiving spam on the email I used to signup for armorgames.

    They are not trustworthy. -- this is not an idea, but saw that you have listed them as unconfirmed, I can confirmed my data was leaked from their site --

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base