General
56 results found
-
Display the Bitcoin Cash donation address as CashAddress
On the donation page the Bitcoin Cash donation address is displayed in the old legacy format (1DQZe241VSm5VjY1YeAyiWQR5VFH3heCtJ).
Most wallets (probably 100% of all user facing once) supports the CashAddress format (bitcoincash:qzypv5j3ce6g57x9te25lgx0z6af8ehz2c8tudzpaf in this case) and using the legacy format for bitcoin cash is discouraged due to a risk of sending to an invalid address.2 votesThanks for the tip, it’s done: https://haveibeenpwned.com/Donate
-
Higher Ed Discount
As we are not awash in money it would be appreciated if there was a Higher Ed discount of some sort. As students come and go they still stay on the list as pwned users even if they are no longer enrolled. Like you, we are a proponent of research and public service.
2 votesHi Will, EDU discounts are already in place, check out this KB: https://support.haveibeenpwned.com/hc/en-au/articles/7619887413135-Do-you-provide-discounts-based-on-the-nature-of-the-organisation-
-
API option to only return whether an account is breached or not
At the moment when querying an email address, the names of the sites breached are returned, in some circumstances this may not be desirable due to local legislation. Is it possible to have an API option to return whether an account has been involved in a breach or not rather than names of breached services?
1 vote -
Meta/ Facebook
We are subscribing to your service and had over 3.000 users so far. But none is showing the FACEBOOK data leak. How can this be?
1 voteThe scraped Facebook data didn’t contain email addresses, only phone numbers: https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/
-
Fix this bug: Different results of same e-mail
When I check my e-mail using the website https://haveibeenpwned.com/ it shows "Good news — no pwnage found!".
Then I clicked on "Notify me when I get pwned". I received an e-mail with an URL to confirm and, when I click this url, it opens the same site showing "Already verified" but right below "Oh no — pwned!" with one specific site that makes sense.
1 voteYou’re seeing a result when you click the verify link that’s been flagged as “sensitive”. It’s likely an adult website – these are not shown for public searches of an address.
-
to make a list of pwned apps or websites from old to new so that it wouldn't be hard for us to scroll down-scroll own to the pwned things.
make a button for List Of Pwned Apps/Websites, then add summary of each Pwned A/W.
1 voteThis already exists: https://haveibeenpwned.com/PwnedWebsites
-
Add an option to search breached accounts through a username
And it could work that if there are multiple accounts using the same username then you for example can choose the one that's yours
1 voteHIBP already has this construct: https://www.troyhunt.com/searching-snapchat-data-breach-with/
But it’s very rarely used as usernames are difficult to parse out, not unique to an individual and almost always accompany email addresses which can more reliably be searched.
-
Add potential causes for the 503 response.
A 503 response is given for a single query to the breached account api, but not the pwnedpassword api.
1 voteI’ve just added into on the 503 status here: https://haveibeenpwned.com/API/v2#RateLimiting
Per the existing documentation, there are no rate limits on the Pwned Passwords API.
-
automatation / ml / nlp for surfacing "sensitive" breach
Curious about your thoughts on using some sort of automation / aggregation / ML to help classify what constitutes a "sensitive" breach, and also what the most up-to-date state of "sensitive breach" classification logic is.
Would also be great to have an easy-to-find and up-to-date list of what those sites are.
1 voteThis is already available on the website under the breach description here: https://haveibeenpwned.com/PwnedWebsites
Or via the API here: https://haveibeenpwned.com/API/v3#AllBreaches
-
top list of worst passwords.
Not sure how prevalent very popular passwords are, so Id suggest if possible, it would be a real nice feature to see the worst offenders in order of most reused.
For instance "password", is its millions of instances actually #1 or is something else more prevalent?
Seeing the worst of the worst in terms of commonality/instances of use would be a nice tool for average users to gauge just exactly how bad that "Password1!" workaround really is.
1 voteTry this list from the NCSC: https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
-
Being able to clear the history of breaches.
I would love to be able to clear the breached websites that my email adress has. I think this would be a great addition to the opt-out feature.
1 voteThis is pretty much what one of the opt-out options already does: “delete all data breaches against my email address”.
-
Cannot do payments from debit card for one time.
You should add debit cards also in payment and upi.
1 votePayment via debit card is already supported.
-
Allow viewing of one pwned website at once
On the Pwned Websites list (https://haveibeenpwned.com/PwnedWebsites), there is no way to link to a specific site. This could be done easily in two ways:
1) Give each pwned website its own page (e.g. https://haveibeenpwned.com/PwnedWebsites/Verifications-IO) that just gives that website's description.
2) Add an anchor link to each pwned website's header so we can deep-link directly to one site.
Ideally both could be done, and should be relatively easy (I think).
The reason I want this is that I monitor our corporate network for any corporate accounts that are included in breaches, and let people know about them.…
1 voteSo this was always possible (each breach has an anchor that can be linked to), but there wasn’t an easily clickable reference. I’ve just added a permalink under each breach description which should make this easier. It’s now deploying, let that finish and allow cache to flush and it’ll be good.
-
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
1 voteUpdated the FAQs today, have a look at the first one here: https://haveibeenpwned.com/FAQs
-
Have a FAQ that explains breached passwords to users in easy to understand language
It would be nice if we had a FAQ that we could link to when checking a password against hipb, when a password is found in the list to explain to users what this means in simple terms. E.g. The password you've chosen was found in a list of passwords that have been hacked from a website in the past. We highly recommend not using such a password anywhere because it means that your account's security is extremely weakend. For more information, please read [some more detailed FAQ]
1 voteGreat idea, done! Try this: https://haveibeenpwned.com/FAQs#PwnedPasswordFound
-
Allow CSIRTs to be able to monitor their constituents domains
CSIRTs use to monitor their customers domains in order to warn them about potential breaches, vulnerabilities and incidents related to them. It should be good to allow CSIRTs covering a large constituency (like national CSIRT, industry CSIRTs, Academic CSIRTs) to be able to monitor their constituents domains by accessing the info in a convenient way (by signing, for example, an NDA, compromise, etc)
1 voteThis is already possible via Enterprise services, get in touch for more: https://www.troyhunt.com/contact/
-
Include RAT and Keylogger logs.
Including things like this (http://pastebin.com/4fJAYTRt) would be a good addition to those who have been infected and do not know about it.
1 voteAlready implemented in the paste service.
-
Add sprashivai.ru breach
Website with questions with high popularity in Russia 'sprashivai.ru' (clone of formspring.me and so on) has been breached recently.
https://vk.com/wall6492_5205 (in russian)
http://tjournal.ru/p/sprashivairu-passwords-leak (in russian)(I don't know where to get data)
1 voteGreat tip! The data is now live on the site.
-
Don't Just Tell Me That SOMEONE In My Domain Has Been Pwn3d, Tell Me Who
I got an email, this morning, from HIBP, that someone on one of my domains had their account hit in the linkedIn hack, but the address was not listed in the email. It would be nice to know who that was, instead of having to test every single address in this domain to find out.
1 votePer the comment here, follow the link in the email received to run another search. Impacted addresses are never sent via email for privacy purposes.
-
haveibeenpwned.com/api
I now get this"You have been blocked from accessing this resource on Have I Been Pwned" when using the URI for account checking. I tried it on 3 systems (IPs) and get the same result
https://haveibeenpwned.com/api/v2/breachedaccount/test@test.com?truncateResponse=true
Is this because of the test@test.com?
1 voteIf you’re accessing the API, make sure you adhere to the requirements, particularly around the UA string: https://haveibeenpwned.com/API/v2#UserAgent
- Don't see your idea?