Skip to content

General

202 results found

  1. Add a IFrame (or other kind of embeded form) where we can easily add a search from our site that would send them to HIBP.

    I don't need to understand API's. Your site works great and does an amazing service.

    I would love a media kit/banner that we could add to our site, that we could use to direct users of our site to go to HIBP and check themselves.
    I don't want to download or use your logos without permission.
    You could add a section saying: "promote us:" and pre-prepare icons and buttons for use, if someone chooses, to link to your site.

    In addition, if you could create a form that would allow them to enter the email they want to search, just…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  2. Provide a subscription level for individual domains

    I am one of the people (I know there are others) who uses a custom domain and a catchall email address, in order to give a separate email address to every site I sign up to. So example.com is example.com@mydomain.com, example.net is example.net@mydomain.com, etc.

    Unfortunately this means that getting a report on my breached email addresses would cost $169/year, which is quite a lot for an individual user. I understand that this use case looks very similar to an organizational or institutional one, so it may be difficult to distinguish them in order to help individuals while still…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  3. Screen out fake email addresses

    Right now the service you offer shows more than 170 email addresses from my domain. All of them are fake and never existed as there are less than 10 real accounts on my domain. These fake accounts push me into the paid subscription level where if it only looked at the real accounts it’d be free. Can this be remedied? Maybe allow marking of real accounts and all others considered fake?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    The challenge we have is that there is no viable mechanism to establish whether an account is “real” or not. So long as an address adheres to a valid set of characters and structure, there’s nothing beyond that we can do. To mitigate the risk, breaches flagged as spam lists are excluded from the count used to calculate the required subscriptio. More here: https://support.haveibeenpwned.com/hc/en-au/articles/7680371776399-Can-email-addresses-be-removed-from-a-domain-thus-reducing-the-subscription-level-required

  4. upload known breached default or standard passwords

    Many applications use your API to detect known vulnerable passwords. In this regard it would be great to have some way of uploading known default passwords, e.g. company "standard" passwords or vendor specific device passwords. This would help to prevent users from choosing old and compromised "standard" passwords.

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    The intention for Pwned Passwords is to be just that **pwned** so things that have been seen in previous breaches. That almost certainly includes many default passwords, but it's not something we'd seek out and add if they haven't previously been breached.

  5. Option to email a report of all exposed passwords linked to my email address back to my email address

    Option to get a full report for exposed passwords used along with my email address that can only be mailed to the email address in question (to avoid malicious use)

    This will help me determine where my data was leaked as I tend to use unique passwords for every site and I do not reuse my email password anywhere else

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  6. Load breach data before verification/email

    Not sure if this is done already.

    I suggest the breach data is loaded on the DB as quickly as possible, independent of verification. The idea being some of your services such as checking if a password is part of a breach only need to know if a password is part of a breach. The email notification and other parts of the service would wait for verification.

    If your data structure requires a record for the breach source; if so could it have a record with a status of unverified?

    For those users protected by a password manager/site that checked…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Passwords are typically only updated when a large corpus of plain text versions appear. Most breaches have the passwords already hashed which means there's nothing we can do with them in HIBP, including loading them before verification. Where we do have passwords in plain text, they're already processed independently of the email address loading process.


    tl;dr - it already works this way 🙂

  7. Add basic email validation on the main search box on the website

    If I search for @example.com on the home page https://haveibeenpwned.com/, then it shows "Good news — no pwnage found!".

    That could give the false impression that there is no pwnage on that domain. If a user is not aware of the process for domains, then they might not realise that they need to enter a specific email like pwned@example.com in order to see the "Oh no — pwned!" on the homepage.

    I'm aware that validating emails is difficult, so I'm not suggesting something complicated that covers all possibilities, but I think it would be an improvement to show a…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    The form also accepts usernames and phone numbers, hence not validating email addresses. Because this data was only loaded for a couple of breaches, the field isn't presently displaying the prompt to search for non-email address identifiers, but it may do so again in the future.

  8. Allow a simplistic wildcard domain search on the site and the API

    The only extra function I wish the API had was a very basic wildcard search of a domain (that I don't control/administer) whereby the API would simply return how many times the domain appears in your 700+ breached platforms, and on what platforms it appeared. I have no interest in knowing which email addresses appear under a domain search, just the total number of appearances of the domain and which breached platforms. DeHashed and Leak-Lookup offer this in their free search, but their API's are janky compared to yours.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  9. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  10. Classify domain tiers differently

    I have a personal domain and use a unique email address whenever signing up to a website, so I can easily block it if it gets leaked and starts receiving spam (it also makes it easy to know which site the leak came from). I'm only a single user but would be treated as a moderate sized company according to the new classifications.

    I understand the desire to classify domains and charge different pricing for them. I also appreciate that my arrangement is somewhat unusual and that your approach no doubt works for the majority of cases, it just feels…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  11. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  12. Domain search dashboard - Back to dashboard link

    I love the new domain search dashboard! It really makes life much easier.

    I would like to suggest a small addition. When monitoring several domains performing a search for one domain leads to the results for that particular domain but there is no link back to the dashboard. Would that be technically feasible?

    I know that I can copy the 'Verify my email' link back into the address bar to come back to the dashboard.

    Cheers,

    Thomas

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  13. TFN checks

    Problem: Australian Tax File Number (TFN) can be used to link a fake MyGov account and claim taxes on someone's behalf.

    Suggestion: Hash all leaked accessible TFN on the darknet to inform people that they should request a new one from the ATO

    Context:
    Today, I went to the accountant and I have become Sue0. My TFN and email has leaked from somewhere, the bad guys used the deets to create a fake MyGov account. Somehow attached their fake account to my taxes (ATO) and claimed random things to be under the 10k threshold. Apparently, I am now…

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    There are many problems with this:


    1. There are no data breached in HIBP with Australian tax fie numbers
    2. If there were, they're extraordinarily time consuming to parse out as they adhere to a simple numeric pattern that can't simply be regex'd out like an email address
    3. Hashing would provide effectively zero protection as the entire range of tax file numbers could be pre-computed very quickly due to their small number of possible values
    4. No anonymity means storing sensitive personal data which is definitely off the cards


    And FWIW, the vast majority of data on HIBP doesn't come from "the dark web", it's being exchanged en mass via clear web forums. I appreciate this doesn't help you solve your specific problem, but unfortunately the answer doesn't lie here.

  14. Please get rid of the download tool

    Bit torrent was fine, Now I do not even know which version is the current one before downloading all the stuff. No delta download: So this will increase used bandwith on both sides (me and you)

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    The torrent wasn't fine, it was a stagnated point in time that never evolved. If you want that then just pull down the current version and never update it again. If you want to stay current and not regularly update, then use the k-anonymity API.


    And FWIW, 99.9999% of requests to the API, either directly from apps or via the downloader, are served by Cloudflare cache and have zero impact on us in terms of bandwidth.

  15. Inform users of the status of incorporating new data breaches into your dataset

    I'm thinking, at the moment, about the recent Twitter and Slack breaches, which I assume (but am uncertain) are not currently contained within your dataset for us to look at our data breach status. It'd be nice if you guys had some widget on the home screen that contained news, updates about data breaches currently in the process of being incorporated into your dataset.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    There's usually a very short timeframe between obtaining a data breach and having it live on HIBP. Further, when that timeframe is long enough to justify some sort of public communication, it's usually because I'm either verifying or disclosing and until both those things are done, I can't talk about it publicly. I understand the sentiment, but I can't see a viable gap in the breach load lifecycle where this makes sense.

  16. complete alpha list of pwned breached sites?

    alpha list of pwned breached sites & contact info.

    CONSUMERS need to know if the sites they use are in a list of breached sites and how to contact the developer, webmaster to stay on them to fix it. My password keepers show some sites as breached but not on your page of listed sites (which I presume have been fixed?) How do you handle the breached sites which haven't been hardened?

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  17. Instagram 2023 massive hack

    Ok so on January 2023 there was a massive hack on Instagram where the hacked user wants to put the unknown email on the victim's profile to "recover their spam page" , and after that, the victim gets hacked.

    And also, some hacked users wanted your Bank account to recover some gift cards and instead of returning your money, the hacked one steals your money.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Please see the description on the front of the UserVoice page:


    Hi, welcome to the UserVoice for HIBP! Please keep this service focused on feature suggestions. At this time, I'm not able to service support queries. If there's a data breach you'd like added and you have access to the data, please get in touch with me privately. Posting here and asking for a breach to be added doesn't provide anything actionable and the idea will be declined and closed.

  18. Better way to cancel subscription

    For whatever reason, I am not receiving emails for the API Key subscription service. I have verified that noreply@haveibeenpwned.com is on the trusted senders list, is not on the blocked senders list, and have made sure the emails aren't going to junk. Unless Microsoft is blocking emails intentionally, I am not able to cancel my subscription to the API key which I no longer need (switching companies very shortly).

    Please provide a better/easier way to cancel API keys.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  19. GDPR

    Dear Troy,

    From the GDPR standpoint, you are in total breach and anyone that is using your service on a large scale is in breach.

    The reason is that GET instead of POST. You should NOT ask your users to submit emails by using GET but ONLY by using POST.

    Because you are using GET, ALL email addresses remain the the Cloudflare loggers and who knows what other server loggers.
    Please switch it to POST!

    Thank you for this kool service!
    Too bad that rate limiting to 1.5 seconds does not help us to deliver a service for companies based…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    From a data protection perspective (regardless of which local regulation you choose), the issue is not GET versus POST (or any other verb), the issue is where the data passes through and if it's retained. Cloudflare logs are highly transient, as are the Azure Storage logs when the underlying data structure is queried. GET is the semantically correct verb for retrieving an entity and there are a whole bunch of reasons why it makes more sense, including being able to share a link like this: https://haveibeenpwned.com/account/test@example.com


    As for the rate limit, vote on this idea, it's coming 🙂 https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/39837802-create-different-pricing-for-different-rate-limits

  20. Please reconsider posting data of the Optus hack, their competency to notify us of what info has been shared we do not trust.

    Please reconsider posting data of the Optus hack. The competency of Optus has been lacking and we do not trust them to notify us of what info has been shared. People who have questioned the information have received different results between contacting them and the emails sent out. Additionally, Virgin mobile whos customers were Optus, their data was included in on this hack can doubly expose users.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
← Previous 1 3 4 5 10 11
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base