General
204 results found
-
Include credit cards as another search dimension
As well as user accounts there seem to be a lot of credit cards being leaked. It would be interesting to add credit card numbers to the other search dimensions (username and email address).
There are some security implications around uploading your credit card to hibp but hibp would not need to store it at all. One you had it hash it and also store the found numbers as a hash. It would then slide right into the existing partition/row key schema.
If such a system could be implemented I would even consider it a service worth paying for. Perhaps…
71 votesPer the last comment, this creates too many risks for both myself and others.
-
Allow users to search for an email address by hash rather than sending the email to the API in cleartext.
Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.
47 votesI’m closing this out as “declined” for several reasons:
1. Now with almost 5B records, there’s a very high chance I have the hash being searched already and if I have that, I know the plain text.
2. It would lead to massive redundancy in the system, literally doubling the volume of data I store
3. It would be very rarely used; the vast majority of requests come via the web app from consumers browsing to the site and yes, I could hash on the client, but then you have to trust HIBP is reliably doing that which bring me to the final point…
4. …I would advise against sending an address to any service you don’t trust, regardless of the lengths I go to in ensuring searches aren’t recordedSo in summary, a combination of high effort and low reward.
-
Notify email owner privately to limit malicious intents
I like the fact that I get to know if my email is pwned in any of the latest breaches (so opting out is not really an option), but I can see a malicious intent here as well.
Say a hacker needs to get access to my email account, then the first thing to try is your service to know if my password exists in any of the known breaches, even though I might change it but some users won't or it may be easily guessable.
My idea is, when the user enters their email address, send the results by…
41 votesI left this open for quite a while as I gave it thought, but ultimately concluded it’s not a viable approach. Here’s my thoughts in full: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Fix multi-domain search results
Apparently, multi-domain search result for breached email account sets are broken. Maybe only for large result sets?
I did a multi-domain search after the avectis breach notification with over 10.000 of our company and customer emails affected. However, the "Breached email accounts" tab in the excel format was empty. The HTML did not load (result set to big) and the JSON also only included "{"BreachSearchResults":null, ..."
Can you check this please?17 votesMulti-domain searches were dropped a while back, searches now need to be done on a per domain basis. But we're just about to launch an API if you'd like to automate it, vote here if you'd like to be notified when it's ready: https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/19170856-add-domain-search-capability-to-the-api-functions
-
Showing results via Mail
I think it is a matter of privacy what services (that were breached) I used. This site allows me to type in any e-mail I know and to verify whether or not the person did use a special service. It might seem that this information is not too big of a deal, still I'd consider it private. So my suggestion is that the services only sends back a link to the email that shall be checked and provides the results there.
14 votesThe reasons for the current approach are detailed in this blog post: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Provide the count of breached accounts on a domain
As part of the API, provide the count of breached accounts on a domain in a time window. I realise that for the domain search, users need to prove ownership of the domain before receiving the list of breached emails, which certainly makes sense. If the count of breached accounts on a domain isn't deemed too sensitive to disclose, this would be useful in third party risk monitoring applications which could then display "50 accounts with emails on your domain @domain.com have been breached in the previous 3 years" for example.
12 votesI’m declining this one simply for the reason you’ve already highlighted: it’s too sensitive. For example, you could restrict the range to the time of the Ashley Madison data breach, feed in the domain of a small company and start to draw some pretty sensitive conclusions. As it stands, domain owners can already derive this info so there’s way more risk than upside to this one.
-
Don't use Gravitar
On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.
11 votesLooks like this is an issue with UserVoice, not HIBP.
-
There was an attack on the website https://www.yemeksepeti.com
- Name-surname, date of birth
- Telephone numbers registered with Yemeksepeti
- E-mail registered with Yemeksepeti
- Address information registered with Yemeksepeti
- Masked login passwords with SHA-256 algorithm that are not clearly visible it was stolen. You must add it to this site.
6 votesThis User Voice is for suggesting features for HIBP. If you have data from a new breach, please get in touch with me directly: https://www.troyhunt.com/contact/
-
Add doxbin.org paste
I search on doxbin.org some email accounts and then i search on haveibeenpwned.org, but it isn't find the paste.
6 votesThis is not a feature suggestion.
-
Add more phone number and email breach
Please add more email and phone number breach. I search on "keepersecurity" and "nortonlifelock email and phone number dark web monitoring" say to me that there is more breach.
6 votesNo plans to do that for the reasons mentioned here: https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/
-
TFN checks
Problem: Australian Tax File Number (TFN) can be used to link a fake MyGov account and claim taxes on someone's behalf.
Suggestion: Hash all leaked accessible TFN on the darknet to inform people that they should request a new one from the ATO
Context:
Today, I went to the accountant and I have become Sue0. My TFN and email has leaked from somewhere, the bad guys used the deets to create a fake MyGov account. Somehow attached their fake account to my taxes (ATO) and claimed random things to be under the 10k threshold. Apparently, I am now…4 votesThere are many problems with this:
- There are no data breached in HIBP with Australian tax fie numbers
- If there were, they're extraordinarily time consuming to parse out as they adhere to a simple numeric pattern that can't simply be regex'd out like an email address
- Hashing would provide effectively zero protection as the entire range of tax file numbers could be pre-computed very quickly due to their small number of possible values
- No anonymity means storing sensitive personal data which is definitely off the cards
And FWIW, the vast majority of data on HIBP doesn't come from "the dark web", it's being exchanged en mass via clear web forums. I appreciate this doesn't help you solve your specific problem, but unfortunately the answer doesn't lie here.
-
Fix your SMTP server records in DNS (reverse lookup not working).
Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.
4 votesI’m closing this out following a discussion with the last commenter. This was due to the recipient mail server bouncing emails. For anyone else that stumbles across this, if you reject email from HIBP then you can’t get email from HIBP! The outbound address is noreply@haveibeenpwned.com
-
I suggest to implement an email verification that is necessary to get to know whether the email adress one typed in has been pawned or not.
By getting the information on whether an email address has been pawned without verification whether it's mine or not it is easy for everyone to check really quickly whether the email addresses one has from people around is worth trying to hack. One doesn't have to check the list. This site is doing that for one.
4 votesThere are many reasons why this wouldn’t make sense: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Include leaked password
You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.
I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?
3 votesThis presents too many risks, more info here: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/
-
Notification before loading breach onto Azure
In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned
Can you publish a counter estimating when the next series of breaches will be made available?
I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc
3 votesThere’s nowhere near enough predictability to do this, just monitor the breaches API and you’ll know as soon as a new one is there.
-
API for recommending to allow/forbid a specific credential set.
Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.
The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.
3 votesI understand the ask, but I definitely don’t want to store credential sets in any way, it just poses too great a risk for users and myself alike.
-
Provide a open sourced version of the PB scraper for users to run at home and tinker with.
Title explains it.
3 votesHIBP gets the paste feed from Dumpmon which is already open-sourced here: https://github.com/jordan-wright/dumpmon
-
Add possibility to get total count of leaked emails for specific domain through API
Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.3 votesA count alone won’t do much good, people want to know who was impacted in the breach. Plus, you already get a count at the top of the search page or can look at the rows in the CSV.
Separately to this, if the results you’re seeing aren’t accurate, just check it’s not due to public searches not showing sensitive breaches.
-
3 votes
This is already supported here: -https://haveibeenpwned.com/OptOut
-
Add Retry-After to Access-Control-Expose-Headers
When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.
3 votesIf the 429 is raised by the origin web server, you’ll get a retry-after. If you’ve been absolutely hammering the service and Cloudflare steps in and rate limits, you won’t get a retry-after from them.
- Don't see your idea?