General

  1. You should take a look at gmail adresses with . in them. For my email firstnamelastname@gmail.com returns as pwned but firstname.lastname@gm

    You should take a look at gmail adresses with . in them. For my email firstnamelastname@gmail.com returns as pwned but firstname.lastname@gmail.com returns as clean. For gmail these adresses are exactly the same and I use both of them.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  2. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  3. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  4. Notification before loading breach onto Azure

    In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned

    Can you publish a counter estimating when the next series of breaches will be made available?

    I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  5. Add possibility to get total count of leaked emails for specific domain through API

    Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
    And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    A count alone won’t do much good, people want to know who was impacted in the breach. Plus, you already get a count at the top of the search page or can look at the rows in the CSV.

    Separately to this, if the results you’re seeing aren’t accurate, just check it’s not due to public searches not showing sensitive breaches.

  6. Add Retry-After to Access-Control-Expose-Headers

    When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  7. API for recommending to allow/forbid a specific credential set.

    Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.

    The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  8. You have been blocked from accessing this resource on Have I Been Pwned

    Today is the first time we have ever visited hibp. Clicking on the test http link we immediately received the blocked message shown in the title.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  9. Update your pwned list. My email has been pwned, but you do not know.

    I get email threats saying the email and password is compromised. They even list the password. But this email is not showing up in your list.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  10. don't log data that has been input via the website

    a few days after I tested several of my passwords, I started receiving emails from different websites, that someone was trying to log into my accounts. and these are accounts that I haven't used for several years...

    your pawny website is a a phishing scam and people should never ever use it!!!

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  11. Domain Search Email Validation Not Working

    I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  12. Insert Breach's "Permalink"

    Can you please insert the breach's "Permalink" returned by the API?

    For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  13. Provide Delta files between versions of the Password DB for offline mirror updates

    for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?

    Love using the service btw!

    would also keep your bandwith lower for people only needing the new stuff by downloading smaller files

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  14. Version Pwned Password API

    Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?

    Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    At this stage there’s no plan to version the Pwned Passwords API an it’ll continue to run independently to the APIs for searching breaches.

    See the “last-modified” response header on the API if you’re looking to identify when the data is current as of.

  15. HOSTINGER.COM HAD A DATA BREACH

    I’m not lying, I got an email from them. Here is the blog post about it:
    https://www.hostinger.com/blog/security-incident-what-you-need-to-know/

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  16. Humio Pawned

    Received this mail:
    Dear Humio user,

    On Monday, November 4th, we became aware that an authenticated user of cloud.humio.com could use an API call to retrieve a full list of cloud.humio.com users, including names and email addresses. No other information was exposed.

    You are receiving this email because your name and email could have been exposed.

    We only know of a single incident where someone unintentionally accessed this information. They immediately reported this to us (thank you!). However, we can’t definitively identify whether any other users accessed and stored this data. If you retrieved any user names or email addresses,…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  17. Domain search

    I own several domains and I would like to check any email adress with that domain.
    Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  18. search by hash to be EU GDPA laws compliant

    As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
    I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
    THX for your work

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  19. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  20. GDPR complience

    In order to be GDPR compliant when using the service, we need assurance that the e-mail address we provide is not to be stored or passed over to a third party (and some other requirements). Can you sign a document that states that, so we have someting to show during audits?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base