General
111 results found
-
Add the ability for a domain owner to view and unsubscribe any currently setup domain subscription
A domain subscription checker (done with similar verification to the domain verification links) would enable the domain owner to check only current employees have have access to the information, and to revoke any incorrectly or outdated subscriptions on the domain without having to have access to each destination mailbox
From personal mistake:
I've subscribed for domain alerts, copied the verification token and authorised before it took me back to a screen that showed I'd mis-spelt the notification email address hostname! That means someone else now is approved to see full domain level summary.As the notification email address is different…
7 votes -
Add MostRecentDate to Domain Search results
When viewing Domain Search results, it would be helpful to have column containing the date of their most recent appearance in a breach data set. This would help prioritize password changes if the search results are larger.
7 votes -
Add an Ethereum / Bitcoin SV / credit card / other for donations
Add an Ethereum address for donations and convert all existing Bitcoin donations to renBTC (there's more Bitcoin in the Ethereum network than on the lightning network) via bridge.renproject.io and exchange renBTC for Ethereum via 1inch.eth.link (1inch exchange).
7 votes -
Add an API endpoint that returns a rate limited response
This would allow easy testing of code to properly handle a rate limit, without having developers intentionally exceed the rate limit in order to test.
https://api.pwnedpasswords.com/rate-limited/backoff
would return a 429 response with a Retry-After header with a a value = backoff. The backoff parameter is optional and if omitted you would return the default backoff seconds (2).It is unclear whether the v2 api is rate limited. You state when describing the V2 API that it is not, but the section regarding rate limiting in the API docs does explicitly state that it doesn't apply to the V2 API. This…
7 votes -
Few more detail on the breach needs to be included
Need few other details on the breaches that happened in the past. Its good we get the information details completely. The same is included in http://www.askmein.com/tools/have-i-been-pwned
7 votes -
Full email service for companies to help CISOs
Hello,
I'm using Have I been Pwned to find out unsealed email accounts and passwords for our company domain and I'm very pleased about this service.
But to make life easier I suggest the following service:
1) I sign in at Have I Been Pwned.
2) I type in and confirm all domains of my company
3) I define a text to inform my users about a possible problem, that their passwords are maybe lost.
4) I accept the actual status of unsealed account information as the base line
5) If new breaches of user accounts will occur Have I…7 votes -
Add a "Suspended" account button
I have been reported on 3 accounts that Tumblr accounts have been breached, one of them was in fact suspended for unknown reasons.
7 votes -
7 votes
-
Make domain notification more salient
TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.
Feature not advertised in top bar labels
- "Home" promises e-mail one-time search,
- "Notify me" promises e-mail notification, not registration
- "Domain search" promises, well, one-time domain search.
I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).
Feature not recognizable when found
On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title…
7 votes -
Remove captcha from the domain page
Captcha is grotesequely unfair on people that have learning disabilities and is preventing me from properly using your service.
Find an anti-robot mechanism that doesn't penalise real people with real problems.7 votes -
Add Domain Connect to the "Verify by domain TXT record" method
This way TXT record can be added automatically at GoDaddy, 123reg, 1&1 IONOS and few others. See https://www.domainconnect.org/dns-providers/
6 votes -
Notify email owner by phone text message
Offer the flexibility for a user to enter all email addresses owned by the user along with a mobile number through which the user gets notified if any of the listed emails are pwned.
6 votes -
Add a "Get all pastes for a domain" API endpoint
Currently, HIBP offers a "Get all breached email addresses for a domain" API endpoint and a "Get all pastes for an account" endpoint, but no endpoint exists to search for all pastes for a domain.
The domain search API endpoint is incredibly efficient (especially for enterprise customers), but it does not return known pastes for each account. This can be very painful for multiple reasons (not limited to):
1.) Just because an account has NOT been seen in a third-party breach tracked by HIBP does NOT mean it hasn't been seen in a paste. This means we are seeing an…
6 votes -
Domain Search Spam Filtering or Sorting
After running a domain search there is some instances that you have a small number of "Addresses Excluding Spam" and a very high number of "All Breached Addresses".
It would be super useful to be able to sort by Spam or Excluding Spam Addresses.
Maybe a dropdown or a tickbox to be able to filter out the spam breached addresses.6 votes -
Authorize Domain by API
Add API Functions to Authorize by TXT records to the API.
The way I'd do it would be to add an endpoint to view the TXT Record details you need to add... then a second endpoint to verify the TXT Record is valid...Abuse Mitigations are pretty easy, cap max hits/min to the second Endpoint as it has to perform DNS lookups to do it.
And the first endpoint can't really be abused anyway as no doubt you combine the user's email plus the domain to get the hash in the TXT record... so that's a nothing function.This will…
6 votes -
Update Zygna.com data breach information
I've just been informed that the Zygna.com data breach included my phone number. Which, makes sense, since it is usually installed on mobile devices. You don't list phone numbers are part of the data breach.
6 votes -
Return usernames/email addresses with Pwned Passwords api by using a k-Anonymity model
The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses…5 votes -
show an example of the phone number layout for Facebook data search
Like does it include dashes? spaces?
example: +1 954-123-4567 or +19541234567?5 votes -
Prevent the pwned passwords page from mirroring hashes to Azure App Insights
Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
[
{
"data": {
"baseData": {
"data": "GET https://api.pwnedpasswords.com/range/<hash>",
"duration": "00:00:00.100",
"id": "|<id>.<id>",
"name": "GET /range/<hash>",
"resultCode": "200",
"success": true,
"target": "api.pwnedpasswords.com",
"type": "Ajax",
"ver": 2
},
"baseType": "RemoteDependencyData"
},
"iKey": "<id>",
"name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
"tags": {
"ai.device.id": "browser",
"ai.device.type": "Browser",
"ai.internal.sdkVersion": "javascript:1.0.21",
"ai.operation.id": "HdzCf",
"ai.operation.name": "/Passwords",
"ai.session.id": "<id>",
"ai.user.id": "<id>"
},
"time": "2021-06-10T04:27:35.000Z"
}
]Is it really necessary to send hashes to this many parties?
5 votes -
Indicate which data classes were compromised for each record in a breach
So yeah, when testing an email-address, if should be made clear in the returned results whether the full data (name, physical address, email) or only the email-adress was leaked.
This is important because the ledger hack is more serious than many other to the security of those leaked.4 votes
- Don't see your idea?