General
110 results found
-
Include an Industry field for every breach
The API for searching a breach should include what industry the breach is from, like Web, Government, Insurance, Financial, etc,.
1 vote -
Alert for physical address
Now Slickwraps has your address, notify the person.
(but how, how do you verify if a person owns the address? email and address in a past leak? (also could be abused))
3 votes -
Microsoft flow integration for a domain
An integration with Microsoft flows for a domain would be excellent. Something that would query the tenant for live or past emails in a domain and automatically notify the users about the breach.
1 vote -
Add SSH leaked keys
We believe the future of credentials checking goes beyond just password, and integrating SSH key checking would add lots of value to www.haveibeenwned.com.
SSH keys are also sensitive credentials that are increasingly exploited by attackers in our research findings. We are willing to share our up-to-date SSH leaked key database with www.haveibeenwned.com.97 votes -
Update Zygna.com data breach information
I've just been informed that the Zygna.com data breach included my phone number. Which, makes sense, since it is usually installed on mobile devices. You don't list phone numbers are part of the data breach.
6 votes -
Request a company to be investigated for a breach
Although this was downvoted, I suspect some companies are not reporting their breaches or they do not know about them.
My most recent was EpicGames, which Have I been Pwnd (Password page) says my password has not been pwned. But it was pwned, and was used to access my Gmail, EpicGames and other sites.
I'm not sure what can be done - I think people like me can help collaborate in a way that can lead to discovering unreported breaches and whistle blow those companies to notify their users of breaches.
Why do I have to become a hacker to…
3 votes -
Mark Wii U ISO as a sensitive breach
Wii U ISO is a site that hosts illegal downloads of pirated video games. This include Roms & ISOs for Nintendo Switch, Wii U, and 3DS. The ability to upload or download games is only available for registered users.
Because having an account could link users to illegal software piracy, I would like to propose adding it to the list of sensitive breaches.
(Arguably, emuparadise should be marked as sensitive, as they previously distributed illegal ROMs)
8 votes -
add icons for passwords and credit card numbers in report
Since breaches of passwords and credit card numbers are so much worse than any other breaches, it would be great if you added icons to the Pwned sites column in the report. That is it would say:
Adobe, Forbes🔑, Vodaphone💳, Zomato🔑
This allows people to focus on the most important issues first. Dates would help in this regard:
Adobe 2013, Forbes🔑2014, Vodafone💳2013, Zomato🔑2017
This isn't adding any information you don't already have, just making it more convenient.
(The emoji are 🔑 U+1F511 or🗝️ U+1F5DD and 💳 U+1F4B3.)
Thanks for providing this great service!
20 votes -
7 votes
-
Add % of p0wn count already in DB as new field in API
EG; https://twitter.com/haveibeenpwned/status/1180912324644888576 '87% of addresses were already in @haveibeenpwned'. In this case 87% of the 988k records were already in the DB. I can see the PwnCount, but not the % that was already in the DB, that's the attribute I'd like to be doing some querying on.
3 votes -
Increase contrast in the footer
In the footer, there is the text "A troyhunt.com project" and 3 icons underneath it. These are very hard to see, especially the text. Please increase their contrast with the background
1 vote -
Anonymous statistics about the collected data
Just to satisfy our hunger for data and curiosity about lists of all kinds of things, it would be interesting if the massive amount of data HIBP was processed to produce new data. It doesn't need to be searchable like Shodan's or GreyNoise's (while this would be amazing we don't need to think too much to understand the implied risks) and should not disclose sensitive information, but even with this limitation in the way it would be presented to the public (and keeping in mind the growing adoption of GDPR and similar regulations around the world), there are several processing…
4 votes -
Provide localised language versions
IMO, HIBP is so useful that every single person in the world should have it bookmarked and all companies should monitor their domains accounts using it. Some users in our company use their business email address to create accounts in several websites, and thanks to HIBP our IT team is warned when one of them is pwned.
We thought it would be a great idea to tell everyone about HIBP so they could verify and monitor their own personal accounts, so we did it by sending an email telling about HIBP to everyone in the company. Everyone was able to…17 votes -
Unable to generate new api key 21/08/19
Is there an issue with generating API keys right now? I'm unable to get a key receiving an error:
An error occurred while processing your request
The error has been logged and a notification sent.1 vote -
21 votes
-
Send enrollment email upon valid domain verification
I successfully enrolled in domain search, but never got a confirmation message. Now when I forget whether or not I've enrolled my domain in a year (as will surely happen), I have no way of knowing if I'm just repeating efforts.
16 votes -
Add Domain Connect to the "Verify by domain TXT record" method
This way TXT record can be added automatically at GoDaddy, 123reg, 1&1 IONOS and few others. See https://www.domainconnect.org/dns-providers/
6 votes -
allow the pwnd password query to show the sites/breaches the password was included in?
I have a relatively unusual password that I used to use widely. However, I stopped doing that years ago. It currently shows up in 6 breaches. I would love to know which sites still have it so that I can check/resurrect those accounts.
70 votes -
Have HIBP lookup security.txt mail addresses for Domain Search verification.
Security teams within larger and less mature enterprises struggle to achieve regular access to new breach info based on the current verification process.
Security.txt was implemented as a standard for disclosures, so it would make sense this would also be leveraged for validating domain searches by security teams. Also, would make accessing new affect users easier for larger international organizations where the DNS registration is non-standard or inaccessible.
11 votes -
Remove captcha from the domain page
Captcha is grotesequely unfair on people that have learning disabilities and is preventing me from properly using your service.
Find an anti-robot mechanism that doesn't penalise real people with real problems.7 votes
- Don't see your idea?