If leaks contain usernames and passwords, wouldn't it be important to be able to find out if one of your usernames has been compromised? Or do emails always accompany the passwords?1 vote
Assuming you mean usernames that are user-chosen strings as opposed to email addresses, this functionality existed in HIBP for a while but was later deprecated. Usernames in this form are not uniquely identifiable, often don’t exist at all (email addresses are used instead) and most importantly, can’t easily be parsed out of a large dump with a regex like email addresses can be. So in summary, low value and high effort.
Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.4 votes
I’m closing this out following a discussion with the last commenter. This was due to the recipient mail server bouncing emails. For anyone else that stumbles across this, if you reject email from HIBP then you can’t get email from HIBP! The outbound address is email@example.com
What potential is there to provide data on SSN that have been exposed in a breach? This seems much more borderline dangerous, but curious about of you've given any thought and the problems / possibilities you see.1 vote
American social security numbers are considered sensitive personally identifiable information and I don’t intend to store them in HIBP.
a few days after I tested several of my passwords, I started receiving emails from different websites, that someone was trying to log into my accounts. and these are accounts that I haven't used for several years...
your pawny website is a a phishing scam and people should never ever use it!!!3 votes
I get email threats saying the email and password is compromised. They even list the password. But this email is not showing up in your list.3 votes
I can only add data I have access to. If you have a breach not already in HIBP, I can add that.
I want to use my own Password-Creation (II) without your service 'Free for 30 days'.
Deutsch: Ich möchte mein eigenes Passwort kreieren, generieren ohne ihr System ,30 Tage frei für das Passwort-System'.
TSA25Jan19, 18.38 h - Local time Germany)
This is not a feature suggestion.
I lerned only two years English 1965 til 1967
(Ich lernte nur zwei Jahre englisch von 1965 bis 1967).
Please translate 'pwned' in German - I cannot find in Google a german Word foŕ it (Bitte übersetzen Sie 'pwned' in deutsch - Bei Google finde ich keine Übersetzung für 'pwned').
Normally I use 'Startpage' instead of 'Google' (Normalerweise benutze ich 'Startpage' statt Google).
Thank You - Yours faithfully
Gerd Taddicken - Germany
TSA15Jan19, 18.34 h (UTC minus 1 hour?)
Multilingual support is definitely not on the cards, it’s a very high overhead for both initial implementation and ongoing support.
since we have the recommendation of 'never entering a password on a website, unless it's the password field of the according website', i'd suggest to build an send by mail request form.
if you enter your email, you can choose to get those first 5 chars of all pwned password hashes to the entered email.
with this, you ensure, that only the pwned email addresses get their pwnge data... (which ofc won't help if the mail account itself has already been hijacked)
this would help greatly, to check wich password may be leaked and need a change.1 vote
For now, I remain adamant that storing even a part of a password against an email address presents an unacceptable risk for all. More: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/
Today is the first time we have ever visited hibp. Clicking on the test http link we immediately received the blocked message shown in the title.3 votes
UserVoice is for suggestions for the site that are shared publicly. Try using the contact page on troyhunt.com if you’re having a specific problem.
Everyone is very excited about this site. But honestly I am confused. I've received a message about my primary email address many times. But there's absolutely no action I can take based on that. Yes, good password hygene, yes, dont reuse passwords. But that's generic advice that I get without needing to be notified. What is the increment of information I get by receiving your email? I think that there is none. Can you help me understand your value?1 vote
UserVoice is used for ideas and feature requests. Assuming this is related to Collection #1, please see the discussion on this blog post and ask a question in the comments there if it isn’t already addressed in the post: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
I was informed that my email was on a paste AE4dYZG1.txt 6 Jan 2019 involving 3091 accounts.
The source of this breach is www.netpricedirect.co.uk.1 vote
Thank you. Closing here as it’s not a feature request.
in one of the recent blogs from you or cloudflare, it is talked that basically it would be best to deny all passwords with a count > 100 and warn on password > 20. would it be possible to create download files just for these (i think) like 10 mil records (all > 20)? that would make it easier to create a local repository database with a workable download size and working count. ... and ignoring the rare passwords which make up the largest bucket of your collection.1 vote
You can easily do this yourself by pulling down the entire data set then just extracting all records within the threshold you’ve chosen. I don’t want to publish multiple versions of the same data at different thresholds, this is a very subjective decision and it can easily be extracted from the existing data,
Would like to see some suggestions as to how to repair/improv being victims of the instances you unveil.1 vote
This can be very useful for companies to verify if their users (non-staff) are affected by any breaches and inform them to not share password for different systems. I'm residing in EU, GDPR doesn't allow us to send email to your API to check if a particular email address appear in any breach.1 vote
This would enable anyone to download everyone’s data. Hashes may be cracked which would allow for mass enumeration of emails in a breach. There is no provision in GDPR which prohibits an EU data subject from searching for their email address via the online service.
I asked to opt-out an e-mail address, but since I closed the e-mail account (it's already a year since) I find difficulty in confirming the verification e-mail. Any alternative thing I can do to try to block the e-mail address from showing in this site? Thanks!1 vote
Verification token sent An email containing a verification token has been sent off to the address you chose, just copy................
Kindly help for fix.
For your note:
1. Domain not blocked in mail server
2. haveibeenpwned domain - whitelisted
3. message header not found in mail server inbound logs1 vote
User voice is for submitting new ideas so I’m closing this one out. Make sure your mail server is allowing messages from firstname.lastname@example.org
Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.
The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.3 votes
I understand the ask, but I definitely don’t want to store credential sets in any way, it just poses too great a risk for users and myself alike.
when I enter capital letter in domain name it is not working. Please make it case sensitive1 vote
Domain searches definitely aren’t case sensitive, add specific details if you believe it’s not working with a particular name.
When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.3 votes
If the 429 is raised by the origin web server, you’ll get a retry-after. If you’ve been absolutely hammering the service and Cloudflare steps in and rate limits, you won’t get a retry-after from them.
I use unique email address per subscriber, and I suddenly started receiving spam on the email I used to signup for armorgames.
They are not trustworthy. -- this is not an idea, but saw that you have listed them as unconfirmed, I can confirmed my data was leaked from their site --1 vote
It’s the combination or Armor Games and Coupon Mom together which means this breach is unverified; I can’t emphatically say which addresses are from which service.
- Don't see your idea?