General
-
You should take a look at gmail adresses with . in them. For my email firstnamelastname@gmail.com returns as pwned but firstname.lastname@gm
You should take a look at gmail adresses with . in them. For my email firstnamelastname@gmail.com returns as pwned but firstname.lastname@gmail.com returns as clean. For gmail these adresses are exactly the same and I use both of them.
3 votes -
URI for "Pwned Password"
Can you add an enhancement to https://haveibeenpwned.com/Passwords which is https://haveibeenpwned.com/Passwords/[Password/SHA-1] similar to the "account" URI such as https://haveibeenpwned.com/account/christian.heinrich@cmlh.id.au please?
3 votesAll endpoints that allow searching by individual email address or complete hash are slated for deprecation, use the range search instead.
-
3 votes
This is already supported here: -https://haveibeenpwned.com/OptOut
-
Notification before loading breach onto Azure
In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned
Can you publish a counter estimating when the next series of breaches will be made available?
I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc
3 votesThere’s nowhere near enough predictability to do this, just monitor the breaches API and you’ll know as soon as a new one is there.
-
Add possibility to get total count of leaked emails for specific domain through API
Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.3 votesA count alone won’t do much good, people want to know who was impacted in the breach. Plus, you already get a count at the top of the search page or can look at the rows in the CSV.
Separately to this, if the results you’re seeing aren’t accurate, just check it’s not due to public searches not showing sensitive breaches.
-
Add Retry-After to Access-Control-Expose-Headers
When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.
3 votesIf the 429 is raised by the origin web server, you’ll get a retry-after. If you’ve been absolutely hammering the service and Cloudflare steps in and rate limits, you won’t get a retry-after from them.
-
API for recommending to allow/forbid a specific credential set.
Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.
The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.
3 votesI understand the ask, but I definitely don’t want to store credential sets in any way, it just poses too great a risk for users and myself alike.
-
You have been blocked from accessing this resource on Have I Been Pwned
Today is the first time we have ever visited hibp. Clicking on the test http link we immediately received the blocked message shown in the title.
3 votesUserVoice is for suggestions for the site that are shared publicly. Try using the contact page on troyhunt.com if you’re having a specific problem.
-
Update your pwned list. My email has been pwned, but you do not know.
I get email threats saying the email and password is compromised. They even list the password. But this email is not showing up in your list.
3 votesI can only add data I have access to. If you have a breach not already in HIBP, I can add that.
-
don't log data that has been input via the website
a few days after I tested several of my passwords, I started receiving emails from different websites, that someone was trying to log into my accounts. and these are accounts that I haven't used for several years...
your pawny website is a a phishing scam and people should never ever use it!!!
3 votesPer the FAQs and privacy policy, no data is logged and the behaviour you’re experiencing has not originated from HIBP.
-
Domain Search Email Validation Not Working
I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.
3 votesThis site is used for feature requests, not support. If you’re not receiving emails it’ll be because your mail server is blocking them.
-
Insert Breach's "Permalink"
Can you please insert the breach's "Permalink" returned by the API?
For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".
3 votesYou can already derive this from the breach name: https://haveibeenpwned.com/PwnedWebsites#{breach name}
-
Provide Delta files between versions of the Password DB for offline mirror updates
for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?
Love using the service btw!
would also keep your bandwith lower for people only needing the new stuff by downloading smaller files
3 votesDeltas would still be extremely large due to the prevalence counts on so many of the passwords changing. Best bet is to either download the new version or if that becomes inconvenient, hit the k-anonymity API.
-
Version Pwned Password API
Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?
Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?
3 votesAt this stage there’s no plan to version the Pwned Passwords API an it’ll continue to run independently to the APIs for searching breaches.
See the “last-modified” response header on the API if you’re looking to identify when the data is current as of.
-
HOSTINGER.COM HAD A DATA BREACH
I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/3 votesThis UserVoice is for feature suggestions. Please contact me here if you have data to load: https://www.troyhunt.com/contact/
-
Humio Pawned
Received this mail:
Dear Humio user,On Monday, November 4th, we became aware that an authenticated user of cloud.humio.com could use an API call to retrieve a full list of cloud.humio.com users, including names and email addresses. No other information was exposed.
You are receiving this email because your name and email could have been exposed.
We only know of a single incident where someone unintentionally accessed this information. They immediately reported this to us (thank you!). However, we can’t definitively identify whether any other users accessed and stored this data. If you retrieved any user names or email addresses,…
3 votesPlease keep User Voice for suggested features. If you have access to a data breach you’d like to submit, get in contact with me here: https://www.troyhunt.com/contact/
-
Domain search
I own several domains and I would like to check any email adress with that domain.
Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk3 votesThis read like a personal request for verification with a non-standard alias. HIBP already provides a mechanism for domain verification using standard administrator email addresses.
-
search by hash to be EU GDPA laws compliant
As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
THX for your work3 votesThis has already been raised and declined here: https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/8234421-allow-users-to-search-for-an-email-address-by-hash
-
Site pwned notefull.com
https://pastebin.com/JhbQGea2
a bunch of passwords3 votesAdded to HIBP as a paste, closing this as “declined” as User Voice is typically meant to be for new ideas
-
GDPR complience
In order to be GDPR compliant when using the service, we need assurance that the e-mail address we provide is not to be stored or passed over to a third party (and some other requirements). Can you sign a document that states that, so we have someting to show during audits?
3 votesThis is already addressed in the FAQ here: https://haveibeenpwned.com/FAQs#Logging
- Don't see your idea?