I'm getting an "Oh no catastrophic failure" message repeatedly for one password in particular - I'd like to understand what that means.
I'd like to understand what the "Oh no catastrophic failure" message actually means.1 vote
Insufficient information to reproduce
There was no Twitter breach, they inadvertently logged passwords to an internal system and there’s no evidence they were ever obtained by an unauthorised party.
Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.3 votes
A count alone won’t do much good, people want to know who was impacted in the breach. Plus, you already get a count at the top of the search page or can look at the rows in the CSV.
Separately to this, if the results you’re seeing aren’t accurate, just check it’s not due to public searches not showing sensitive breaches.
In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned
Can you publish a counter estimating when the next series of breaches will be made available?
I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc3 votes
There’s nowhere near enough predictability to do this, just monitor the breaches API and you’ll know as soon as a new one is there.
This is already supported here: -https://haveibeenpwned.com/OptOut
Can you describe what the intended use of the LogoType field in the Breach object is? I can't find anything in the API docs that describes the field. I know what SVG and JPG are, but to what do they refer? Do you have (or plan to have) an API that will return a logo for the name of a breach? I can see from the source of your web pages that you have that data in the content folder1 vote
This is intentionally undocumented and will be replaced by a formally documented alternative in the future.
Can you add an enhancement to https://haveibeenpwned.com/Passwords which is https://haveibeenpwned.com/Passwords/[Password/SHA-1] similar to the "account" URI such as https://firstname.lastname@example.org please?3 votes
All endpoints that allow searching by individual email address or complete hash are slated for deprecation, use the range search instead.
I used to lookup password hashes by a binary search in the sorted password list (iterating over the initial database and the 2 updates).
With the new database 2.0 this is no longer possible (unless I sort the downloaded hashes).
Please bring back the sorted hashes.
I do not care for the counts that have been added - perhaps another file with sorted hashes and without counts (to somewhat reduce the file size) could be offered for download?1 vote
I’m trying to avoid having multiple versions of the same thing, I suggest that if a different order is important you just do a one-off reordering of the file.
explain in the FAQ why a mail address (mine!) appears as hacked in your tool, but the associated password is not listed as hacked?
Does it mean that the e-mail adress was hacked, but that the associated password was not decrypted? If not, why the password is not found in your database? Thanks.1 vote
HIBP does not store passwords.
I've changed my password but my mail remain in the list. When my account will be "pwned" again, I will not know about it.1 vote
HIBP is a reflection of which emails were breached in which systems and is not designed to track what changes are made to an account post-breach.
I don't know if this is already available, but I feel it will be a better idea.1 vote
It provides next to no security (I already have billions of addresses I could use to crack it) and it would require an entire copy of the system hence doubling up on all the storage costs.
i know this might be outside the scope of this site
But i have in the past discovered that sites do not delete me when i ask for it
It could be nice to have some sort of crawler that could search the internet for your username or even name and report back on which sites they are found
this could maybe be a seperate site3 votes
Yep, definitely outside the scope of what HIBP does.
Due to the breadth of different languages out there and the simplicity of create a SHA1 hash and sending it in a web request, I don’t want to get into language specific guidance. If you’re having trouble, try creating the hash here and comparing it with the one you’re creating: http://www.sha1-online.com/
I suspect it’s your encoding, you’ll get a speedy answer on Stack Overflow if you’re still having trouble.
All ok but please reply to our problems sent to you via mail and twitter.......it is a great issue for most of us1 vote
This UserVoice is for suggesting new ideas. If you have an idea you’ve been trying to get in touch with me about and haven’t been able to reach me, please detail it as a new item here. Do read the other ideas here too as well as the HIBP tag on my blog in case it’s already covered there: https://www.troyhunt.com/tag/have-i-been-pwned-3f/
Cloudflare antibot on your api doesn't make any sense, i have a python discord bot with your api implemented and because of cloudflare i cant use the api anymore and i have quite a few users who use the function.1 vote
Tell the simple steps to get out of these problems who does not know the technology, how to get out of pwning his/her email or some other account. Dr N C Ghatak.3 votes
the listed date - "(1 Jan '01)" is, shall we say, an out-of-bounds error. Site didn't exist that long ago!1 vote
If the data is no longer there, I can’t tell you anything more about it as I don’t save pastes.
The files version 1, update 1 and update 2 contains 320,3355,236 SHA1 values but only 320,294,464 are unique the difference are 40,772 values1 vote
Please use UserVoice for feature requests.
Provide Solutions on "How To" reverse the process of compromised email address and passwords.1 vote
You cannot reverse an email address and password having been exposed, it is an immutable historic event.
- Don't see your idea?