General
-
Sort breaches by date
This is mostly useful for those of us who like to check for new leaks involving our email addresses every few months. Currently one has to read through the whole list of results since they're in a seemingly arbitrary order, including those one has already changed the relevant passwords for.
19 votes -
19 votes
-
Provide localised language versions
IMO, HIBP is so useful that every single person in the world should have it bookmarked and all companies should monitor their domains accounts using it. Some users in our company use their business email address to create accounts in several websites, and thanks to HIBP our IT team is warned when one of them is pwned.
We thought it would be a great idea to tell everyone about HIBP so they could verify and monitor their own personal accounts, so we did it by sending an email telling about HIBP to everyone in the company. Everyone was able to…17 votes -
Fix multi-domain search results
Apparently, multi-domain search result for breached email account sets are broken. Maybe only for large result sets?
I did a multi-domain search after the avectis breach notification with over 10.000 of our company and customer emails affected. However, the "Breached email accounts" tab in the excel format was empty. The HTML did not load (result set to big) and the JSON also only included "{"BreachSearchResults":null, ..."
Can you check this please?15 votes -
Make a section on what to do if you have been pawned.
So, Iv'e been pawned? What's next? What do I need to do? How can I fix this issue or protect myself from this happening again? You talk about being pawned but I don't see anything in simple English on the next steps besides using your password generator which I have been using for years but still got pawned.
15 votes -
Send enrollment email upon valid domain verification
I successfully enrolled in domain search, but never got a confirmation message. Now when I forget whether or not I've enrolled my domain in a year (as will surely happen), I have no way of knowing if I'm just repeating efforts.
14 votes -
Report as an email containing additional details
if the email address matches the username, provide associated data elements that have been breached. These could be as follows..
1. plain-text passwords, password hashes associated with the email add.
2. other PII .. address, phone#, IP, etc.13 votes -
Paypal option to pay API key
Not everyone has a creditcard. Should be nice if I can pay the API key with paypal :)
13 votes -
Enabl API to be queried such that it returns only the breach name
At present, searching the API returns all data about the breach including description and other meta data. For high volume API consumers, it would be preferable to return just the breach name. Meta data about the breach could then be retrieved in a single API query to the breach service. This would reduce the response size for each query by more than 90%.
11 votes -
Add additional contacting email addresses for domain search
Add itsecuity@domain.com as one of the contacting addresses for a domain search as this is a common address these days.
11 votes -
Have a page with mitigation directions for the technically challenged.
For those of us who are technically challenged, directions on how to mitigate any damage if found to have been breached. For example, my husband and I found that our Adobe accounts were breached, but we do not know when he signed up as he does not have a computer and only created an email when he got a smart phone about 4 years ago. He has no idea of how he got signed up for Adobe. To be honest, I do not remember signing up or into that service either, although I do have it on my computers and…
10 votes -
Have HIBP lookup security.txt mail addresses for Domain Search verification.
Security teams within larger and less mature enterprises struggle to achieve regular access to new breach info based on the current verification process.
Security.txt was implemented as a standard for disclosures, so it would make sense this would also be leveraged for validating domain searches by security teams. Also, would make accessing new affect users easier for larger international organizations where the DNS registration is non-standard or inaccessible.
10 votes -
Domain wide search results - Refined export of data
It would be great to refine the export data for domain wide searches.
Something i would like to do is notify the users of new breaches. If i run the report periodically, i can easily compare the results and for any differences script a personalised mailout informing my users of such exploit.
Cheers,
Ivan10 votes -
9 votes
-
Summarise the breach info at the top of domain wide searches
When you search across a domain at present, the breach name is listed next to each impacted account but it's not clear when it happened or when it was loaded into HIBP. It might not make sense to list this info next to every single breached account in the list, but a summary at the top of the page listing key attributes of each relevant breach would be handy.
8 votes -
7 votes
-
Don't show pastes just by providing the e-mail address before verifying it's the actual owner
Right now just by providing an e-mail address you can get pastes with plain password for that address. I can see how this can be abused. Could You implement some kind of verification that it's the actual owner of the e-mail? For example, sending an email which leads to a list of pastes where the password was found.
7 votes -
Few more detail on the breach needs to be included
Need few other details on the breaches that happened in the past. Its good we get the information details completely. The same is included in http://www.askmein.com/tools/have-i-been-pwned
7 votes -
Add the ability for a domain owner to view and unsubscribe any currently setup domain subscription
A domain subscription checker (done with similar verification to the domain verification links) would enable the domain owner to check only current employees have have access to the information, and to revoke any incorrectly or outdated subscriptions on the domain without having to have access to each destination mailbox
From personal mistake:
I've subscribed for domain alerts, copied the verification token and authorised before it took me back to a screen that showed I'd mis-spelt the notification email address hostname! That means someone else now is approved to see full domain level summary.As the notification email address is different…
7 votes -
7 votes
- Don't see your idea?