General
230 results found
-
I suggest to implement an email verification that is necessary to get to know whether the email adress one typed in has been pawned or not.
By getting the information on whether an email address has been pawned without verification whether it's mine or not it is easy for everyone to check really quickly whether the email addresses one has from people around is worth trying to hack. One doesn't have to check the list. This site is doing that for one.
4 votesThere are many reasons why this wouldn’t make sense: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Investigate this: Dear Alumni & Friends, Report of a Data Security Incident I am writing to notify you of a data security incident that ha
Dear Alumni & Friends,
Report of a Data Security Incident
I am writing to notify you of a data security incident that has affected one of the University’s third party service providers, Blackbaud, which provides cloud computing software used for processing some of your personal data.
We recognise that this is unsettling news and we sincerely apologise that this has happened, but rest assured that Blackbaud have taken steps to mitigate this incident and any risks to your information. The University is following up with internal investigations and remedial actions of its own. However, we advise that you be vigilant…
1 voteThis is not a feature suggestion, it’s a breach disclosure notice related to the Blackbaud incident.
-
Have I Been Pwned API to get breached password list
The official page of “Have I Been pwned” (https://haveibeenpwned.com/Passwords) is showing anomaly behavior for checking breached password. For the same password being used, it returns different results. Sometimes it shows that the password has been breached and when I try it again with the same password, it shows the password has not been breached. I tried this with the password “Password1.”.
Also, its API (Searching by range, which I have used with my java project) does not signify that the password "P@ssw0rd123" was breached, but its website https://haveibeenpwned.com/Passwords shows that this password was breached.
Could you please make…
1 voteThis is a bug report, not a feature request, and it’s a duplicate of what you’ve already emailed me and I’ve already responded to.
-
Xploder forum breach
Hey,
when googling one of my email addresses I found three similar dumps from xploder forums. This is not showing up when I search for my email here.
How can I send you a link to the dumps, post it just here?1 voteNot a feature idea.
-
ACLU was breached thru (https://www.blackbaud.com/securityincident). The url is the report site of the ransomware data breach.
07/25/2020
ACLU was breached thru (https://www.blackbaud.com/securityincident). The url is the report site of the ransomware data breach.1 votePlease keep User Voice focused on new ideas.
-
i pressed the wrong option when opting out so i wish we were allowed to opt out, i try again but it says i cant.
i opted out using the wrong option and it still says ive been pwned so im suggesting theres an option to opt out a different way even if you already opted out. everytime i try to opt out again i get the same email telling me i cant.
1 voteThis suggestion fundamentally undermines the entire premise of opting out in the first place!
-
Confirmation e-mail before displaying pwned data
Hi Troy
Could you please implement a security feature that would require the email address owner to validate their email details before supplying the complementing pwned report.
This simple feature would make it harder for a malicious actor to identify what security breach data to search when looking for additional personal details that complement a user's email address.
Please note that the above scenario assumes that a malicious actor can acquire a copy of the data that is highlighted in pwned report.
1 voteThere are many, many very good reasons why that would be infeasible: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Partial matches
I am being notified for breaches that partially match my email. Today I was notified that there was a leak (for example) "joe@live.com". When in fact notmyemail_joe@live.com was leaked.
1 votePlease keep User Voice focused on feature suggestions.
-
Define the password length that can be hacked.
IT people at work have told us 15 characters is the max. Is that true? If someone used a 21 character password, what hackers capture the entire 21 character password?
1 voteThis is not a feature suggestion
-
Has Mega been pwned? I received an email from support@mega.nz on 27 June 2020 (extract below)? I had used a strong and unique password.
YOUR MEGA ACCOUNT HAS BEEN LOCKED FOR YOUR SAFETY; WE SUSPECT THAT YOU ARE USING THE SAME PASSWORD FOR YOUR MEGA ACCOUNT AS FOR OTHER SERVICES, AND THAT AT LEAST ONE OF THESE OTHER SERVICES HAS SUFFERED A DATA BREACH.
While MEGA remains secure, many big players have suffered a data breach (e.g. yahoo.com, dropbox.com, linkedin.com, adobe.com, myspace.com, tumblr.com, last.fm, snapchat.com, ashleymadison.com - check haveibeenpwned.com/PwnedWebsites for details), exposing millions of users who have used the same password on multiple services to credential stuffers (https://en.wikipedia.org/wiki/Credential_stuffing). Your password leaked and is now being used by bad actors to log into…
1 votePlease keep User Voice focused on feature suggestions
-
1 vote
All email address numbers represented on HIBP are the number of unique addresses parsed out via regex from the data set I was provided with. If HIBP represents 263k, then that’s how many addresses were in the data.
-
able to search breached apps
if i want to install an app and i want to see if that app or website is compromised i don't want to install it.so make a searchable page for breached apps and websites
1 voteThat already exists here: https://haveibeenpwned.com/PwnedWebsites
-
How do I get a list of which website your service tells me I've had breached?
You site tells me my email address has been breached thirteen times.
How do I get a list of those websites your service tells me I've had breached?1 voteIt literally tells you this after searching – scroll down.
-
Fix your verification links
Your service is unusable because you are sending out verification links by email with tokens in them that are invalid.
1 votePlease use User Voice for suggesting new ideas.
Separately, I’m seeing verifications performed just fine at present, contact me directly with details if it’s not working for you personally: https://www.troyhunt.com/contact/
-
Wildcard support
Similar to the requests for 'wildcard support for spamgourmet' and 'searches using the "+" syntax' Fastmail (and I suspect other providers) offer the facility to send email to <anything>@<myemail>.fastmail.com - where the "normal" email address is myemail@fastmail.com
I use this extensively to register unique email addresses for each site (so if spam comes in i can see where it was leaked from) but in many cases i've no record of which sites i've used addresses on.
as such it would be very useful to check for *@<myemail>.<providerdomain.com>
to prevent abuse e.g. someone trying to register *@hotmail.com then send a verification…
1 voteThe big difference with the plus aliasing syntax is that it’s a very broadly adopted pattern that whilst not a spec (and frankly, that’s a big part of why this feature doesn’t exist), is broadly supported. I don’t want to get into a cycle where one specific mail provider (and a smaller one at that) implements something specific to them and HIBP needs to implement that pattern.
-
An ability to remove the alarm
Seen the breach, I have changed all my passwords some of them several times over. This name and password list are several years out of date. So old as to be useless. The alarms are now false.
1 voteHIBP is intended to be a record of breaches, not a personal triage service that enables individuals to track whether they’ve responded to a breach.
-
Add Unacademy data breach of 11M users in database
An education app Unacademy is reported to have data breached of 11M-22M Users. Kindly add that to database.
3 votesPlease use User Voice for feature suggestions. If you have data from a breach and you’d like it loaded, get in touch with me here: https://www.troyhunt.com/contact/
-
I sorted the 100K password text file alphabetically. There appear to be duplicates.
Remove duplicates from 100K password file
1 voteHIBP does not have a “100k password list”.
-
Feature that allows you to search for all the sites your email has been used to create a log in for
I would like to know which websites I have created a username on with my email address so that I can access them and manage the passwords for them. at this time, I can only manage the ones I REMEMBER using my email to sign up with, but I know there are probably hundreds out there that I have created login credentials for because just about every site or out there requires you to create an account in order to use it.
I want to protect those accounts BEFORE I know a breach has occurred so there are no surprises.
3 votesThis is what a password manager does! Here you go: https://haveibeenpwned.com/1Password
-
question here... are non-user data not exposed?
what I want to ask is that... when those mailicious people gain access to a database, do they just go for emails and passwords? I am sure there are other data such as creation dates, private messages, ssn, interests and more, are these exposed as well? do the mailicious people strip out these info before posting online?
why your site and other similar sites not have data classes for these other info?
1 voteUserVoice is intended for feature suggestions, not general discussion.
- Don't see your idea?