General
229 results found
-
GDPR complience
In order to be GDPR compliant when using the service, we need assurance that the e-mail address we provide is not to be stored or passed over to a third party (and some other requirements). Can you sign a document that states that, so we have someting to show during audits?
3 votesThis is already addressed in the FAQ here: https://haveibeenpwned.com/FAQs#Logging
-
Fix the opt-out.
I was able to opt out public searches on 1 of 2 accounts. The second one I went through the steps and it now tells me I have opted out, however I am still able to look up the second email.
1 voteUserVoice is for suggesting new idea, not submitting bugs so I’m “declining” this one.
Feel free to get in touch personally and give me the email address you’re having problems with: https://www.troyhunt.com/contact/
-
How to opt-in again after opting-out? Please read :)
I have opt-out by removing my email addr from public search.
I thought by using an API key to search for my own email, I am able to retrieve my own breaches, but it was a 404.
How do I opt-in again or at least allow email address owners to search for their own breaches?
I think the language is not very clear on the opt-out page, thus leading to me buying the API key for nothing. I wasted $3.50
It says "You can still search your own address using the notification service that ensures you control the address before…
1 voteUserVoice is for suggesting new ideas so I’m marking this as “declined”.
Your address will only still be searchable by yourself if you choose the first option that simply removes it from public visibility. If you choose either the 2nd or 3rd option, the data is permanently deleted and no longer searchable by any means.
-
1 vote
Without information as to what benefit that would provide, I’m closing this off as “declined”.
-
Site pwned notefull.com
https://pastebin.com/JhbQGea2
a bunch of passwords3 votesAdded to HIBP as a paste, closing this as “declined” as User Voice is typically meant to be for new ideas
-
Add SSH leaked keys
We believe the future of credentials checking goes beyond just password, and integrating SSH key checking would add lots of value to www.haveibeenwned.com.
SSH keys are also sensitive credentials that are increasingly exploited by attackers in our research findings. We are willing to share our up-to-date SSH leaked key database with www.haveibeenwned.com.105 votesSorry for the delay in replying to this, we're clear the sole focus now is email address search and we won't be adding other data attributes such as SSH keys.
-
Help - your search showed a password was in a breach. I got an email from a scammer quoting that password. How do I find out what sites it
Give specifics to help us delete the problem
1 voteThis User Voice is only for feature suggestions.
-
search by hash to be EU GDPA laws compliant
As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
THX for your work3 votesThis has already been raised and declined here: https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/8234421-allow-users-to-search-for-an-email-address-by-hash
-
Domain search
I own several domains and I would like to check any email adress with that domain.
Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk3 votesThis read like a personal request for verification with a non-standard alias. HIBP already provides a mechanism for domain verification using standard administrator email addresses.
-
Humio Pawned
Received this mail:
Dear Humio user,On Monday, November 4th, we became aware that an authenticated user of cloud.humio.com could use an API call to retrieve a full list of cloud.humio.com users, including names and email addresses. No other information was exposed.
You are receiving this email because your name and email could have been exposed.
We only know of a single incident where someone unintentionally accessed this information. They immediately reported this to us (thank you!). However, we can’t definitively identify whether any other users accessed and stored this data. If you retrieved any user names or email addresses,…
3 votesPlease keep User Voice for suggested features. If you have access to a data breach you’d like to submit, get in contact with me here: https://www.troyhunt.com/contact/
-
Question: Does HIBP check user ids as well as email address?
Some websites use userids instead of email addresses. Are userids checked the same as email addresses?
1 voteNo.
-
Use certificates that specify OCSP Must-Staple
The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com
https://scotthelme.co.uk/ocsp-must-staple/1 voteTLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
-
Drop support for weak cipher suites
The Qualys SSL Server Test shows that haveibeenpwned.com supports weak cipher suites for TLS 1.2. Please drop support for these to make haveibeenpwned.com even more secure.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com1 voteTLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
-
A search for xyz@gmail.com and xyz@googlemail.com should return the same
Since user@gmail.com is the same address as user@googlemail.com the returned data should also be the same, currently you'd have to enter both addresses.
Some users might not even know about this.0 votesThis is akin to what’s already been proposed in this suggestion: https://haveibeenpwned.uservoice.com/admin/v3/suggestions/6774229/
Namely that there are multiple versions of an address that all go to the same mailbox. It’d be great if you could leave that comment over on that idea and I’ll close this one out.
-
HOSTINGER.COM HAD A DATA BREACH
I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/3 votesThis UserVoice is for feature suggestions. Please contact me here if you have data to load: https://www.troyhunt.com/contact/
-
Provide the count of breached accounts on a domain
As part of the API, provide the count of breached accounts on a domain in a time window. I realise that for the domain search, users need to prove ownership of the domain before receiving the list of breached emails, which certainly makes sense. If the count of breached accounts on a domain isn't deemed too sensitive to disclose, this would be useful in third party risk monitoring applications which could then display "50 accounts with emails on your domain @domain.com have been breached in the previous 3 years" for example.
12 votesI’m declining this one simply for the reason you’ve already highlighted: it’s too sensitive. For example, you could restrict the range to the time of the Ashley Madison data breach, feed in the domain of a small company and start to draw some pretty sensitive conclusions. As it stands, domain owners can already derive this info so there’s way more risk than upside to this one.
-
Normalize all searches to lower case
I sometimes capitalize portions of my email address.
After checking the same email address twice - one time all lower case and another using some upper case - I got different results!1 voteAll email address searches are not case sensitive. If you’ve found an exception, please contact me privately with the address in question: https://www.troyhunt.com/contact/
-
api call
Hi i want to ask about API,
i try to call the API via $.ajax and send the hibp-api-key by header, i checked the hibp-api-key at RequestHeader and its correct
and i get this message in the console
readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to loadcan you help me?
1 voteThis User Voice is for feature suggestions. If you’re trouble shooting your implementation, I suggest you try Stack Overflow.
-
Version Pwned Password API
Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?
Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?
3 votesAt this stage there’s no plan to version the Pwned Passwords API an it’ll continue to run independently to the APIs for searching breaches.
See the “last-modified” response header on the API if you’re looking to identify when the data is current as of.
-
Can I have my account show up normally- like no breaches found, since I opted out accidentally
Can I have my account show up normally- like no breaches found, since I opted out accidentally ?
I am not sure where to post this but I want it like that
1 voteAt this stage there is no option to un-opt-out. Furthermore, depending on how you opted-out your data may have been permanently deleted from the online system anyway.
- Don't see your idea?