General

  1. Notify email owner privately to limit malicious intents

    I like the fact that I get to know if my email is pwned in any of the latest breaches (so opting out is not really an option), but I can see a malicious intent here as well.

    Say a hacker needs to get access to my email account, then the first thing to try is your service to know if my password exists in any of the known breaches, even though I might change it but some users won't or it may be easily guessable.

    My idea is, when the user enters their email address, send the results by…

    41 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Include leaked password

    You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.

    I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. acknowledge option

    Hi,
    It will be nice to have an "acknowledge" option if i subscribe - so when i see list of sites/accounts i changed my password too i would be able to acknowledge and then see only new threats as red

    thanks,

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add URL for a certain paste

    Using the crowd, I have finally solved the mystery which database a certain paste represents: http://security.stackexchange.com/questions/108191/what-can-i-do-if-i-discover-that-my-password-hash-has-been-leaked-in-pastebin

    Can I/Could you add that information?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add wpengine.com breach

    There was a breach on wpengine.com, maybe data about accounts will be available somewhere
    https://wpengine.com/support/infosec/

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. RSS feeds not working/validating

    Thunderbird refuses to open either your breaches or pastes RSS feeds, claiming failed validation. The w3c feed validator fails both: https://validator.w3.org/feed/
    Whether they are broken or not is beyond my experience :-)

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    declined  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add a captcha

    Because people often use the same user and password combination on multiple sites. If you can search here if you have an account on multiple sites, others can too. If you can slow down automatic search, abusers can be scared away

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Unsubscribe button please

    This service is awesome and user will be warned if they are pwned.
    But the registration confirmation email says "...and you can unsubscribe at any time if you don't want the notifications."
    Please, make an unsubscribe button. I can't find any unsubscribe button or form on the website or in the email.
    Thanks.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  10. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. either allow use of email from domain registration, or don't claim to

    The domain registration page says "Verifying by email is the fastest way to confirm ownership of the domain. You can either verify using an email address on the domain registration record or by using one of several pre-defined addresses for the domain." However, in fact I cannot find any way to use the email address actually on my domain registration record (paleo.org), as it is not one of the four standard addresses listed.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  12. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if Registered via EMail Link PRIOR TO Deletion ? Thank

    Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if the EMail Address was confirmed Registered (via EMail Link) PRIOR TO Deleting the E-Mail Address ? Thank You.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow users to search for an email address by hash rather than sending the email to the API in cleartext.

    Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.

    47 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →

    I’m closing this out as “declined” for several reasons:

    1. Now with almost 5B records, there’s a very high chance I have the hash being searched already and if I have that, I know the plain text.
    2. It would lead to massive redundancy in the system, literally doubling the volume of data I store
    3. It would be very rarely used; the vast majority of requests come via the web app from consumers browsing to the site and yes, I could hash on the client, but then you have to trust HIBP is reliably doing that which bring me to the final point…
    4. …I would advise against sending an address to any service you don’t trust, regardless of the lengths I go to in ensuring searches aren’t recorded

    So in summary, a combination of high effort and low reward.

  15. Interpret all permutations of an email address (period seperations, +filters)

    Gmail will ignore periods in an email when it comes to rounding. So email@gmail.com and e.mail@gmail.com will both go to the same address. Someone might want to use the email because it lets them filter those messages from within Gmail.

    I tested it, and as of right now, haveibeenpwned sees them as seperate emails which may give users a false sense of security.

    Develop a way to find all permutations of an email based off of their filterless email address.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    declined  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Include credit cards as another search dimension

    As well as user accounts there seem to be a lot of credit cards being leaked. It would be interesting to add credit card numbers to the other search dimensions (username and email address).

    There are some security implications around uploading your credit card to hibp but hibp would not need to store it at all. One you had it hash it and also store the found numbers as a hash. It would then slide right into the existing partition/row key schema.

    If such a system could be implemented I would even consider it a service worth paying for. Perhaps…

    71 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Flag idea as inappropriate…  ·  Admin →
1 2 5 6 7 9 Next →
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base