General

  1. Prevent the pwned passwords page from mirroring hashes to Azure App Insights

    Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
    [
    {
    "data": {
    "baseData": {
    "data": "GET https://api.pwnedpasswords.com/range/<hash>",
    "duration": "00:00:00.100",
    "id": "|<id>.<id>",
    "name": "GET /range/<hash>",
    "resultCode": "200",
    "success": true,
    "target": "api.pwnedpasswords.com",
    "type": "Ajax",
    "ver": 2
    },
    "baseType": "RemoteDependencyData"
    },
    "iKey": "<id>",
    "name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
    "tags": {
    "ai.device.id": "browser",
    "ai.device.type": "Browser",
    "ai.internal.sdkVersion": "javascript:1.0.21",
    "ai.operation.id": "HdzCf",
    "ai.operation.name": "/Passwords",
    "ai.session.id": "<id>",
    "ai.user.id": "<id>"
    },
    "time": "2021-06-10T04:27:35.000Z"
    }
    ]

    Is it really necessary to send hashes to this many parties?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Show me an example of the response that is received when a phone number is sent to the breachedaccounts api endpoint

    I am working on an application - I am unable to find a number that was in a breach. Can you please provide me an example response when a phone number is queried to the breachedaccounts api. I just need to look at the structure and the keys

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. "Leak date" column in spreadsheet

    It would be better if the spreadsheet with the leak records had a "leak date" column.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. List registered email addresses for domain notification

    Can we please have an notification sent to advise which email addresses have been subscribed to domain notifications over time and an option to remove email addresses from domain notifications.

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. 7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Notify Me does not accept phone number

    Notify me has validation for email and does not accept phone number.

    Ability to order notify by phone number also.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. show an example of the phone number layout for Facebook data search

    Like does it include dashes? spaces?
    example: +1 954-123-4567 or +19541234567?

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  8. Split up breach listing page

    This page:
    https://haveibeenpwned.com/PwnedWebsites#Facebook
    Is surprisingly difficult to browse on mobile, because it's so very long.
    The anchor link doesn't seem to always take you to the right section, because of the page length, at least on mobile. On desktop, it works fine though.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add the ability for a domain owner to view and unsubscribe any currently setup domain subscription

    A domain subscription checker (done with similar verification to the domain verification links) would enable the domain owner to check only current employees have have access to the information, and to revoke any incorrectly or outdated subscriptions on the domain without having to have access to each destination mailbox

    From personal mistake:
    I've subscribed for domain alerts, copied the verification token and authorised before it took me back to a screen that showed I'd mis-spelt the notification email address hostname! That means someone else now is approved to see full domain level summary.

    As the notification email address is different…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Full email service for companies to help CISOs

    Hello,

    I'm using Have I been Pwned to find out unsealed email accounts and passwords for our company domain and I'm very pleased about this service.

    But to make life easier I suggest the following service:
    1) I sign in at Have I Been Pwned.
    2) I type in and confirm all domains of my company
    3) I define a text to inform my users about a possible problem, that their passwords are maybe lost.
    4) I accept the actual status of unsealed account information as the base line
    5) If new breaches of user accounts will occur Have I…

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  11. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make a section on what to do if you have been pawned.

    So, Iv'e been pawned? What's next? What do I need to do? How can I fix this issue or protect myself from this happening again? You talk about being pawned but I don't see anything in simple English on the next steps besides using your password generator which I have been using for years but still got pawned.

    12 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add an Ethereum / Bitcoin SV / credit card / other for donations

    Add an Ethereum address for donations and convert all existing Bitcoin donations to renBTC (there's more Bitcoin in the Ethereum network than on the lightning network) via bridge.renproject.io and exchange renBTC for Ethereum via 1inch.eth.link (1inch exchange).

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Unsubscribing partial domain email breach notification with multiple domains

    If you register an email notification for multiple domains, you are notified for all domains.
    However, if at some point you no longer wish to be notified about one of the domains, it does not seem possible to unsubscribe from one of the domains only. (If you unsubscribe from both, and then re-subscribe to just 1 of the domains, it seems like your previous multi-domain account with the same email is reactivated, and multiple domain notifications are again emailed.)

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Sort breaches by date

    This is mostly useful for those of us who like to check for new leaks involving our email addresses every few months. Currently one has to read through the whole list of results since they're in a seemingly arbitrary order, including those one has already changed the relevant passwords for.

    16 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Identifying Password Reuse Between Seperate Breaches

    When an account is included in multiple breaches, identify if the leaked password is reused, or similar password used in individual breaches.

    This would be interesting for individual accounts, but more useful when monitoring domains.

    If an account is included within multiple breaches, but there is low/no password reuse/similarity then we can gain a level of comfort that the leaked credentials cannot be used further.

    If however the account that is included in multiple breaches has used the same or similar password across those breaches we can prioritise taking action and changing passwords for non-breached systems.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Internationalized domain name

    Domain search verifying by email : domains with umlauts get not an email without any error message. Of course, if you convert domain name from IDN into ACE string before you enter it works.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Indicate which data classes were compromised for each record in a breach

    So yeah, when testing an email-address, if should be made clear in the returned results whether the full data (name, physical address, email) or only the email-adress was leaked.
    This is important because the ledger hack is more serious than many other to the security of those leaked.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  19. Google Analytics?

    I'm a European Data Privacy Officer and in my applications I don't allow any tracking cookies. Can you prove a - maybe paid - service without Google Analytics?
    Thanks
    Bernd

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. For each of the download files, can you make available a sample file with 100 rows?

    Instead of downloading the large file to see the file format, I would like to download a 100-row example. This would save bandwidth and allow someone to experiment with integrating the database into an app without having to download the very large example.

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base