General
117 results found
-
Domain Search Spam Filtering or Sorting
After running a domain search there is some instances that you have a small number of "Addresses Excluding Spam" and a very high number of "All Breached Addresses".
It would be super useful to be able to sort by Spam or Excluding Spam Addresses.
Maybe a dropdown or a tickbox to be able to filter out the spam breached addresses.6 votes -
Add an API to get the most recent breach date by account/email
On my website, I'd like to detect if the user's password has been recently breached so I can ask them to reset their password. It would be easy if there is an endpoint that given an account/email returns a single timestamp or breached date of the most recent breach if there is one.
With the current API, the only way to achieve this is to use the v3 breachedaccount API with the option truncateResponse set to false. The untruncated response body of the endpoint is quite large. On top of that, I'd have to deserialize the response to JSON then…
11 votes -
Support for more verification options on unicode domains
I own an emoji unicode domain, https://⚪🐯.ws. While I can start the verification process, I'm not able to complete verification via email as every email is considered disallowed. DNS TXT verification results in "Catastrophic failure!" (500), as does meta tag validation. File upload results in "No response from domain".
Interestingly, converting it to Punycode (https://xn--f8h8099n.ws) also doesn't work.
Edit: Apologies, the TXT record method works when the domain is converted to unicode. I don't believe anything else does though!
1 vote -
excel sheet with all sites breaches with headers
Breach, Compromised Data, Date of Compromise etc., this was already contained in the site https://haveibeenpwned.com/PwnedWebsites
I'm just requesting you to provide the same in excel format.11 votes -
Add simple breakdown to search results (passwords and hashes or not, etc)
For the initial "Have I Been Pwned" lookup, a summary of the types of results would help users better understand the associated risk.
So this:
"Oh no, pwned in 20 breaches"
... could be expanded to something like:
"Oh no, pwned in 20 breaches:
7/20 leaks included password or password hashes
13/20 do NOT have passwords - just contact and similar metadata"
... etc
This could be styled nicely however it makes sense - in a table, pie chart, etc. And it could be expanded later to include whatever level of detail makes sense - maybe strong/slow hashes vs weak/fast…
16 votes -
Change the DNS validation for domain search a bit
Right now, I've added a verification TXT record to my zone apex (root). This clutters a bit, as every other site also has their records there. I want to know if I can remove the record, but I couldn't find this in any docs.
If possible, move the record to a subdomain to avoid cluttering the zone apex. This could be a random subdomain to avoid any cases where a malicious user might control the delegation of a subdomain. Maybe the subdomain is the validation (like
d234fghde34.mydomain.comwith a TXT record saying "yes")Alternatively, allow me to remove the record…
3 votes -
Opt-in again after opting-out
I know that these suggestions have appeared many, many, many times.
While it is currently possible to change your mind to another of the three points after you opt-out, it would be more useful and right to add the option to opt-in back. At least for new breaches.
One of the reasons is that 1Password Watchtower simply stops working for email searches.
12 votes -
correct PW info ?
I checked my new long & unique 13 character PW.. got the response of Not Pwned... but also: 'Oh NO this PW has been seen before in a breach'... so which is it?
I made up 2 more long & unique PWs to test this and still got the same results. How can a previously non-existent just-made-up PW show in a breach !
I truly appreciate the work your site does, but how can a PW be both safe and compromised at the same time !1 vote -
Add metadata to describe how password is stored
People should have awareness about proper security of websites
Original title: List websites that do not hash passwords, but rather encrypt or store plain text such as einforma.com edpnet.be
1 vote -
Alert when a new version of the file is uploaded
I would like to receive an alert when a new version of the file is uploaded
2 votes -
Stop address reuse. Set up a btcpayserver for bitcoin donations instead
I love your site. But for someone giving advice to not reuse passwords, its ironical that you have a static bitcoin address for donations. (FYI: I already donated, and I'll gladly do it again. This is just a tip)
"Address reuse" in bitcoin is problematic as it ties together funds in a way that reduces privacy and security for all involved parties.
Rather, each transaction should always be made to its own address. All modern wallets support this concept. Check out https://btcpayserver.org/ for a free, self-hosted, open source payment processor that is aligned with Bitcoin's (and your own) values of…
1 vote -
Prevent the pwned passwords page from mirroring hashes to Azure App Insights
Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
[
{
"data": {
"baseData": {
"data": "GET https://api.pwnedpasswords.com/range/<hash>",
"duration": "00:00:00.100",
"id": "|<id>.<id>",
"name": "GET /range/<hash>",
"resultCode": "200",
"success": true,
"target": "api.pwnedpasswords.com",
"type": "Ajax",
"ver": 2
},
"baseType": "RemoteDependencyData"
},
"iKey": "<id>",
"name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
"tags": {
"ai.device.id": "browser",
"ai.device.type": "Browser",
"ai.internal.sdkVersion": "javascript:1.0.21",
"ai.operation.id": "HdzCf",
"ai.operation.name": "/Passwords",
"ai.session.id": "<id>",
"ai.user.id": "<id>"
},
"time": "2021-06-10T04:27:35.000Z"
}
]Is it really necessary to send hashes to this many parties?
5 votes -
Show me an example of the response that is received when a phone number is sent to the breachedaccounts api endpoint
I am working on an application - I am unable to find a number that was in a breach. Can you please provide me an example response when a phone number is queried to the breachedaccounts api. I just need to look at the structure and the keys
3 votes -
List registered email addresses for domain notification
Can we please have an notification sent to advise which email addresses have been subscribed to domain notifications over time and an option to remove email addresses from domain notifications.
11 votes -
12 votes
-
Notify Me does not accept phone number
Notify me has validation for email and does not accept phone number.
Ability to order notify by phone number also.
4 votes -
show an example of the phone number layout for Facebook data search
Like does it include dashes? spaces?
example: +1 954-123-4567 or +19541234567?5 votes -
Split up breach listing page
This page:
https://haveibeenpwned.com/PwnedWebsites#Facebook
Is surprisingly difficult to browse on mobile, because it's so very long.
The anchor link doesn't seem to always take you to the right section, because of the page length, at least on mobile. On desktop, it works fine though.3 votes -
Add the ability for a domain owner to view and unsubscribe any currently setup domain subscription
A domain subscription checker (done with similar verification to the domain verification links) would enable the domain owner to check only current employees have have access to the information, and to revoke any incorrectly or outdated subscriptions on the domain without having to have access to each destination mailbox
From personal mistake:
I've subscribed for domain alerts, copied the verification token and authorised before it took me back to a screen that showed I'd mis-spelt the notification email address hostname! That means someone else now is approved to see full domain level summary.As the notification email address is different…
8 votes -
Full email service for companies to help CISOs
Hello,
I'm using Have I been Pwned to find out unsealed email accounts and passwords for our company domain and I'm very pleased about this service.
But to make life easier I suggest the following service:
1) I sign in at Have I Been Pwned.
2) I type in and confirm all domains of my company
3) I define a text to inform my users about a possible problem, that their passwords are maybe lost.
4) I accept the actual status of unsealed account information as the base line
5) If new breaches of user accounts will occur Have I…7 votes
- Don't see your idea?