119 results found

1. Anonymous statistics about the collected data

   Just to satisfy our hunger for data and curiosity about lists of all kinds of things, it would be interesting if the massive amount of data HIBP was processed to produce new data. It doesn't need to be searchable like Shodan's or GreyNoise's (while this would be amazing we don't need to think too much to understand the implied risks) and should not disclose sensitive information, but even with this limitation in the way it would be presented to the public (and keeping in mind the growing adoption of GDPR and similar regulations around the world), there are several processing that could be applied to extract new insights of this data, like the number of times a unique account is pwned as it ages through the years since HIBP is collecting data, for example, when an email account appears for the first time it is year one, and then several statistics could be generated using this, such as X % of the emails are pwned 1, 2, 3, 4, n times since HIBP started collecting data, X % of the emails addresses were pwned again in an average Y months or years after it's first pwn, also cross-links between where and how the accounts and related information where revealed could bring more insights about how our data is well or badly handled or protected by others (companies mostly) and so how easily it could be obtained.
   Most of us already know the problems that can come with a leaked account and password (or personal data alone when it's sensitive and allows the user identification), how worst it is if the same one is used in other places/sites, and we also know how to minimize the risk to nearly zero by simply using unique passwords and subscribing to HIBP, and given the number of online accounts we accumulate along the time and to be less paranoid with where and how we store our passwords, a growing number of us are adopting one or more password managers. But I think that this kind of data could be useful to raise awareness about the 'password' problem (and all inherent security problems that IT brings along with its wonders) and why using unique and strong passwords is so important. And why using password managers matters.
   I think the way I explained and the examples above are not as clear as I intended, so feel free to use the comments to ask questions or to tell me how to make it more clear.

   Just to satisfy our hunger for data and curiosity about lists of all kinds of things, it would be interesting if the massive amount of data HIBP was processed to produce new data. It doesn't need to be searchable like Shodan's or GreyNoise's (while this would be amazing we don't need to think too much to understand the implied risks) and should not disclose sensitive information, but even with this limitation in the way it would be presented to the public (and keeping in mind the growing adoption of GDPR and similar regulations around the world), there are several processing… more

   4 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   1 comment  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

2. Provide localised language versions

   IMO, HIBP is so useful that every single person in the world should have it bookmarked and all companies should monitor their domains accounts using it. Some users in our company use their business email address to create accounts in several websites, and thanks to HIBP our IT team is warned when one of them is pwned.
   We thought it would be a great idea to tell everyone about HIBP so they could verify and monitor their own personal accounts, so we did it by sending an email telling about HIBP to everyone in the company. Everyone was able to check their personal email address, but a lot of users came to us asking how they should proceed to register to be warned by HIBP when their addresses appears in a breach.
   "Notify me" is effective, even for people that don't speak English, but we noticed certain difficulty for a considerable number of people (we speak Portuguese in our country).
   I'd like to suggest the translation of the site and the alerts it sends to the users.
   HIBP offers an invaluable service to the internet, for free. I'm sure that people will help translate it to their languages for free too (l10n). I'm one of those. Count me on when (and if) you decide to make it available in other languages.

   IMO, HIBP is so useful that every single person in the world should have it bookmarked and all companies should monitor their domains accounts using it. Some users in our company use their business email address to create accounts in several websites, and thanks to HIBP our IT team is warned when one of them is pwned.
   We thought it would be a great idea to tell everyone about HIBP so they could verify and monitor their own personal accounts, so we did it by sending an email telling about HIBP to everyone in the company. Everyone was able to… more

   20 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   5 comments  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

3. Unable to generate new api key 21/08/19

   Is there an issue with generating API keys right now? I'm unable to get a key receiving an error:
   An error occurred while processing your request
   The error has been logged and a notification sent.

   1 vote

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   1 comment  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

4. ReCAPTCHA is bad for privacy!

   https://kevv.net/you-probably-dont-need-recaptcha/
   https://www.fastcompany.com/90369697/googles-new-recaptcha-has-a-dark-side

   21 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   2 comments  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

5. Send enrollment email upon valid domain verification

   I successfully enrolled in domain search, but never got a confirmation message. Now when I forget whether or not I've enrolled my domain in a year (as will surely happen), I have no way of knowing if I'm just repeating efforts.

   16 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   1 comment  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

6. Add Domain Connect to the "Verify by domain TXT record" method

   This way TXT record can be added automatically at GoDaddy, 123reg, 1&1 IONOS and few others. See https://www.domainconnect.org/dns-providers/

   6 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   0 comments  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

7. allow the pwnd password query to show the sites/breaches the password was included in?

   I have a relatively unusual password that I used to use widely. However, I stopped doing that years ago. It currently shows up in 6 breaches. I would love to know which sites still have it so that I can check/resurrect those accounts.

   70 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   2 comments  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

8. Have HIBP lookup security.txt mail addresses for Domain Search verification.

   Security teams within larger and less mature enterprises struggle to achieve regular access to new breach info based on the current verification process.

   Security.txt was implemented as a standard for disclosures, so it would make sense this would also be leveraged for validating domain searches by security teams. Also, would make accessing new affect users easier for larger international organizations where the DNS registration is non-standard or inaccessible.

   11 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   0 comments  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

9. Remove captcha from the domain page

   Captcha is grotesequely unfair on people that have learning disabilities and is preventing me from properly using your service.
   Find an anti-robot mechanism that doesn't penalise real people with real problems.

   7 votes

   Vote Vote Vote

   Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   1 vote 2 votes 3 votes Remove votes

   You have left! (?) (thinking…)
   0 comments  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Submit Rating

10. Report as an email containing additional details

    if the email address matches the username, provide associated data elements that have been breached. These could be as follows..
    1. plain-text passwords, password hashes associated with the email add.
    2. other PII .. address, phone#, IP, etc.

    13 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    1 comment  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

11. Filter breaches by "AddedDate"

    Add a date filter to the api/breachedaccount/{account} endpoint.

    In this way, we can only query breaches that were added after X date. This is helpful for notifications and reduces the amount of data we retrieve.

    10 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    2 comments  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

12. Provide visibility of email addresses subscribed for domains

    Provide visibility and manageability of email addresses subscribed for domains to ensure only appropriate people are receiving notifications.

    27 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    2 comments  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

13. Return usernames/email addresses with Pwned Passwords api by using a k-Anonymity model

    The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
    Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
    The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses are send back to other people.
    Therefore, a reverse k-Anonymity model approach could be applied and only the first 5 digits of the email addresses hash should be returned. The hash part could then be compared to hashes of known email address by the client. This would allow the client to identify username – password combinations with the api.pwnedpasswords.com without ever sending passwords and usernames.
    Yours, Marcus

    The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
    Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
    The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses… more

    5 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    0 comments  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

14. Sort pwned sites by date

    HI Can you sort pwned sites by date rather than alphanumeric - most recent discoveries first?

    66 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    1 comment  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

15. Make domain notification more salient

    TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.

    Feature not advertised in top bar labels

    • "Home" promises e-mail one-time search,
    • "Notify me" promises e-mail notification, not registration
    • "Domain search" promises, well, one-time domain search.

    I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).

    Feature not recognizable when found

    On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title about "notification".

    I suggest you, on https://haveibeenpwned.com/DomainSearch form:

    • to add between the "Domain name" entry box and the "Would you like..." another sub-title (h1, h2, whatever) reading "Notify me domain-wide" or similar.
    • to change the checkbox label to at least include the word "notification" or "notify", like "Subscribe me for domain-wide notification".

    This would make the feature easier to find, which will improve your interesting service.

    Thank you.

    TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.

    Feature not advertised in top bar labels

    • "Home" promises e-mail one-time search,
    • "Notify me" promises e-mail notification, not registration
    • "Domain search" promises, well, one-time domain search.

    I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).

    Feature not recognizable when found

    On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title… more

    7 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    1 comment  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

16. The ability to report data breaches

    In many cases of small businesses, customers know about problems through internal emails much faster than large media. So there should be the possibility to report data breaches with sources. Perhaps with a form and in addition you can forward internal e-mails directly.

    22 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    0 comments  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

17. Add additional contacting email addresses for domain search

    Add itsecuity@domain.com as one of the contacting addresses for a domain search as this is a common address these days.

    11 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    4 comments  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

18. Add an API endpoint that returns a rate limited response

    This would allow easy testing of code to properly handle a rate limit, without having developers intentionally exceed the rate limit in order to test.

    https://api.pwnedpasswords.com/rate-limited/backoff
    would return a 429 response with a Retry-After header with a a value = backoff. The backoff parameter is optional and if omitted you would return the default backoff seconds (2).

    It is unclear whether the v2 api is rate limited. You state when describing the V2 API that it is not, but the section regarding rate limiting in the API docs does explicitly state that it doesn't apply to the V2 API. This suggestion is less useful if the rate limit does not affect the v2 API

    This would allow easy testing of code to properly handle a rate limit, without having developers intentionally exceed the rate limit in order to test.

    https://api.pwnedpasswords.com/rate-limited/backoff
    would return a 429 response with a Retry-After header with a a value = backoff. The backoff parameter is optional and if omitted you would return the default backoff seconds (2).

    It is unclear whether the v2 api is rate limited. You state when describing the V2 API that it is not, but the section regarding rate limiting in the API docs does explicitly state that it doesn't apply to the V2 API. This… more

    7 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    1 comment  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

19. Include the affected email address in the API json structure as well.

    Ingesting in Splunk becomes easier when the unique account is included in the API json data structure. Otherwise you cannot tell these individual disclosures apart.

    1 vote

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    2 comments  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating

20. Indicate if the same credentials have appeared in another breach

    Nice, now I know that my mail-address was included in the Exploit.In and Adobe breach. But the Exploit.In breach does not hint any clue whether we talk about the same service (=Adobe) or not. I can understand that you cannot mail me a password. After all you don't know me. I might as well be an imposter. But it would be cool if you could internally setup your database such that it outputs whether the password in an amalgamated-list-breach that did not specify a service like Exploit.In was identical to the one in another breach like the Adobe breach. That would allow me and other users to assess the damage much better and take action. So the output I would wish for should look as follows:

    Credentials associated with your email appeared N times in this list. 1 entry matched information leaked through >link< XYZ breach. 1 entry matched information leaked through >link< XYZ breach. .... and so on.

    Nice, now I know that my mail-address was included in the Exploit.In and Adobe breach. But the Exploit.In breach does not hint any clue whether we talk about the same service (=Adobe) or not. I can understand that you cannot mail me a password. After all you don't know me. I might as well be an imposter. But it would be cool if you could internally setup your database such that it outputs whether the password in an amalgamated-list-breach that did not specify a service like Exploit.In was identical to the one in another breach like the Adobe breach. That… more

    64 votes

    Vote Vote Vote

    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    1 vote 2 votes 3 votes Remove votes

    You have left! (?) (thinking…)
    2 comments  ·  Delete…  ·  Admin →
    How important is this to you?

    Not at all You must login first! Important You must login first! Critical You must login first!

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Close

    Close

    Submit Rating