General
226 results found
-
Describe why a search of an e-mail address using the form and API return different results
If I search for my work e-mail address on the web page, I get no results. However, if I search for my work e-mail address with the API I get two results.
Why is this different?
I am suspecting that the lack of passwords in the breach constitutes not being pwned?1 voteSounds like you’re not using the IsVerified param correctly on the API.
-
I suggest adding a date stamp so we can see when info that's pulled up in a search was last updated.
1 voteBreach data remains largely unchanged after load. Create and modified dates are available via the API if you want more granular data: https://haveibeenpwned.com/API/v3#AllBreaches
-
Email reminders for varification
After the second or third reminder the last one does not contain the email address any more in the text. My improvement: Add the mail address as in the other reminders for a better UX.
1 voteThis is intentional to change the format slightly in the hope of not being flagged as spam.
-
Add incremental updates to the PWNd password data sets
While it wouldn't preserve order, generally, it would greatly reduce the burden on people downloading those data sets for their own use. It has the potential to drastically reduce the bandwidth costs for the system as users would likely download the bulk of the set just once and then get the updates thereafter.
1 voteThis isn’t feasible as each incremental update doesn’t just add new passwords, it updates the counts on existing ones too. Better just to use the k-anonymity API.
-
Fix Email verification
FIx your email verification process. Years back people reporting that emails are not received, IT people watching their email logs confirming nothing is received from your site. Today I am in same boat yesterday and today been trying check email logs at smart host/filter and O365 and neither has any sign of your verification email. There is an issue unfixed you need to resolve.
1 voteEmail delivery checks out just fine: https://www.mail-tester.com/test-difjlr0tj
Talk to your provider if you’re finding it blocked,.
-
Notify me of specific site breaches?
I'd imagine I'm not the first to ask about this but can't see it listed. If I have an account with a site, say the BBC site, can I sign up to be informed of confirmed data breaches even if my particular email address is not in a set of compromised data? Apologies if this already addressed - point me to it.
1 voteThis would effectively amount to a per-individual corpus of sites to be monitored which really isn’t something I want to maintain in HIBP. If you have an account with the service and you’re subscribed to notifications, you’ll be notified anyway if it appears in a breach.
-
Password List Version Diff
Any way to publish just an NTLM and SHA-1 differential file on the next release of the password list? This would greatly help when importing the list into SQL so as not to require a full re-import of any newly published password lists.
1 voteA huge portion of the entries change on each load due to the counts being revised. if downloading the corpus is burdensome, better to use the k-anonymity API.
-
Allow incremental hashes for those of us who are not permitted to use the API
Different organizations have different security postures. Your list of hashes may be transferred into secure systems in text format where they are processed in order to match against internal password databases.
Unfortunately, despite the k-anonymity interface, exfiltrating even a partial password hash is forbidden. Given this use case, I believe it would be advantageous to provide incremental hash lists for every addition made to the database between major releases of the complete list. Daily, or even weekly would be good.
The objective would be to notify users immediately if the hash of their current password is ever added to the…
1 voteDeltas are infeasible because it’s not just new hashes being added, it’s the counts on existing ones changing too. Best bet is to either load the complete hash set or use the public API. I understand different security postures with regards to using the API, but this is why it implements k-anonymity which there shouldn’t be a practical barrier against using, at least not from a privacy perspective.
-
Premium subscription
A premium API subscription that would allow domain search and show actual passwords would be awesome. This is already available online from multiple vendors but costs that are just too high.
1 voteThis would circumvent domain ownership verification and the presence of passwords would post enormous risks to individuals in breaches. That’s just not a situation I’m comfortable with.
-
Search for non decrypted passwords
As we can download both SHA-1 and NTLM password list, I suppose this list concerns only decrypted passwords that have been re encrypted with SHA-1 and NTLM.
So what about non decrypted passwords ?
I can see a lot of breaches where (fortunally) only the digest has been pwned and the digest algorithm is known.
Are there databases of encrypted passwords with their digest algorithm waiting to be decrypted ?
If yes it could be a nice feature to test passwords against all these databases using the corresponding algorithm...
1 voteThere are multiple problems with this:
Firstly, passwords are almost never encrypted, they’re hashed. If they are encrypted then without the private key you really can’t verify the password by any means.
Secondly, when hashed, they’re almost always salted as well so just knowing the algorithm used isn’t sufficient for a password hash provided by a user to be verified, I’d have to provide the salt used as well. That would mean storing that in a way that could be retrieved for that user which amounts to needing credential pairs which is too risky for my comfort.
Thirdly, it’s a very niche audience that could use this, namely people technical enough to hash their own password (with the salt, if needed) and then pass it back to the service.
In short, it’s high effort, high risk and low value given the niche nature of it.
-
Add FalixNodes.net
There was recently a security breach on FalixNodes, this includes all passwords to the Game Panel, which were all eventfully reset by the owner of FalixNodes.
1 voteThis is not a feature suggestion.
-
Domain user accounts
As a consultant, I see several companies that use a Microsoft Windows server and that are currently under cyber attack. looking at the userids that they use to try to get in, I think that somewhere there must be a list of existing userids (and passwords and even PC names) that they can use to login to a domain. Would be useful to get that info in hibp. By the way, on checking the domain names in hibp, I never get a verification code sent to security@....
1 voteThis is cage and not really actionable. If you’re not receiving email, you’re almost certainly blocking it.
-
Document IP addresses and stability for API
Using your API from our environment requires that we update our network egress rules to allow us to reach you.
I can easily see what IP addresses you're using now, but I can't tell how likely these are to change.
Having this documented would help us make better decisions about how - or whether - to use your API.
tia
1 voteI wouldn’t put any rules in place based on IP, just use the domain name(s).
-
Add credentials API (to check against strong hashes)
HIBP unlike other services like enzoic does not yet provide a way to find matches if the breach data contains medium to strong protected passwords.
To make that passwords searchable without cracking them the API needs to accept the username as input and returns a list of hashes together with meta information e.g. salt and hash algorithm. The client can then for all results use the provided hash algorithm for the password and compare it with the hash from the API result.
security notes:
1. you may want to add a second hash algorithm on top to avoid storing passwords…1 voteThe protection level of the password is not an area I want to get into as it leads to (often incorrect) assumptions about whether a breached password is suitable for use. There’s also no need to increase the strength of the hashing algorithm as it’s only designed to obfuscate the PII that appears in some records.
-
Add a 'AddedDate' field for pastes
With the current API, for the paste model it is mentioned that the paste date is only included if it is known, and that this value may be null.
Can you please consider adding a 'date reported' field to the paste model, which would simply be the timestamp of when a given breach is reported by HIBP. That would give a usable reference point as to the possible age / currency of the paste, in the event that the regular date value isn't known.
This would also be consistent with the breach model in the API, that differentiates between 'BreachDate'…
1 voteSo I thought this was a good idea, until I looked at the underlying schema I’d implemented. tl;dr – I don’t capture and store that information in a fashion that makes this request feasible. Sorry!
-
Clarify "<p>" within the "Title" Field of "Regler" Paste
The relevant JSON returned from https://haveibeenpwned.com/api/v3/pasteaccount/test@example.com is quoted below:
{ "Date": null, "EmailCount": 627, "Id": "https://underground-revolution.eu/hacked/networkgaming_2013_04_16.sql", "Source": "AdHocUrl", "Title": "Regler.<p>" },Can you please clarify the inclusion of the "<p>" from "Title" field or if not needed please remove "<p>" from the "Title" field?
1 voteThis is simply the title on that paste, whoever created it added a
tag to it.
-
Mark the Guntrader breach as Sensitive
The Guntrader breach should not be publicly visible as the severity of that leak comes from it revealing the names, addresses and locations of UK gun owners. Guntrader is a site that is purely used to buy and sell legal firearms in the UK so 99% of those with an account have guns. The UK National Crime Agency are involved at a high level as this breach puts gun owners at high risk of criminal attack and theft of firearms by knowing who has them and where. Unlike some countries the UK has very strictly controlled firearms access and guns…
1 voteI did consider flagging it as sensitive, but there were insufficient reasons to exclude it from visibility. Further, Guntrader themselves don’t deem it necessary to hide the visibility of an email address on their service (see attachment).
-
Note where aggregation is suspected.
So I've just been notified about the LinkedIn "scrape" and have verified that my data predates the Forbes breach. I have used multiple emails for LinkedIn over the years, and my current email is considerably older by a number of years than the HIPB alert might suggest.
I cannot be the first person to notice this, so it looks like this looks like some sort of peas porridge aggregation. It is notable that my current details are in the Forbes breach but the LinkedIn details are relatively ancient. I know you do not have a lot to go on for…
1 voteAny known information of relevance is already captured in the description. More on the specifics of the LinkedIn scrape in this thread: https://twitter.com/troyhunt/status/1444420522624749570?s=21
-
The email addresses (2) in the LinkedIn leak are email addresses that I’ve never used on LinkedIn, but on GitHub.
Are we sure this is a simple scraping leak? Or is something else going on here? Given Microsoft owns the two services, could it be more problematic than we think it is?
1 voteThis is not a feature suggestion. More on the LinkedIn scraping incident in this thread: https://twitter.com/troyhunt/status/1444420522624749570?s=21
-
have a way to mark all "breaches" as "rectified" when you changed the pasword.
We all change our pw frequently... it's hoped,
so have a way to grade the leak to "critical" before you update the pw for that breach. but then mark it as rectified after the pw is changed
1 voteThere are no plans to make HIBP a personal triage system.
- Don't see your idea?