Skip to content

General

115 results found

  1. Summarise the breach info at the top of domain wide searches

    When you search across a domain at present, the breach name is listed next to each impacted account but it's not clear when it happened or when it was loaded into HIBP. It might not make sense to list this info next to every single breached account in the list, but a summary at the top of the page listing key attributes of each relevant breach would be handy.

    8 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  2. Mark Wii U ISO as a sensitive breach

    Wii U ISO is a site that hosts illegal downloads of pirated video games. This include Roms & ISOs for Nintendo Switch, Wii U, and 3DS. The ability to upload or download games is only available for registered users.

    Because having an account could link users to illegal software piracy, I would like to propose adding it to the list of sensitive breaches.

    (Arguably, emuparadise should be marked as sensitive, as they previously distributed illegal ROMs)

    8 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  3. 7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  4. Few more detail on the breach needs to be included

    Need few other details on the breaches that happened in the past. Its good we get the information details completely. The same is included in http://www.askmein.com/tools/have-i-been-pwned

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  5. Add a "Suspended" account button

    I have been reported on 3 accounts that Tumblr accounts have been breached, one of them was in fact suspended for unknown reasons.

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  6. Add the “Notify Me” element to API functionality

    Add the “Notify Me” element to API functionality so that people can be automatically added to the monitoring (as well as the one off checks)

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  7. Prevent the pwned passwords page from mirroring hashes to Azure App Insights

    Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
    [
    {
    "data": {
    "baseData": {
    "data": "GET https://api.pwnedpasswords.com/range/<hash>",
    "duration": "00:00:00.100",
    "id": "|<id>.<id>",
    "name": "GET /range/<hash>",
    "resultCode": "200",
    "success": true,
    "target": "api.pwnedpasswords.com",
    "type": "Ajax",
    "ver": 2
    },
    "baseType": "RemoteDependencyData"
    },
    "iKey": "<id>",
    "name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
    "tags": {
    "ai.device.id": "browser",
    "ai.device.type": "Browser",
    "ai.internal.sdkVersion": "javascript:1.0.21",
    "ai.operation.id": "HdzCf",
    "ai.operation.name": "/Passwords",
    "ai.session.id": "<id>",
    "ai.user.id": "<id>"
    },
    "time": "2021-06-10T04:27:35.000Z"
    }
    ]

    Is it really necessary to send hashes to this many parties?

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  8. Add an API endpoint that returns a rate limited response

    This would allow easy testing of code to properly handle a rate limit, without having developers intentionally exceed the rate limit in order to test.

    https://api.pwnedpasswords.com/rate-limited/backoff
    would return a 429 response with a Retry-After header with a a value = backoff. The backoff parameter is optional and if omitted you would return the default backoff seconds (2).

    It is unclear whether the v2 api is rate limited. You state when describing the V2 API that it is not, but the section regarding rate limiting in the API docs does explicitly state that it doesn't apply to the V2 API. This…

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  9. Make domain notification more salient

    TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.

    Feature not advertised in top bar labels

    • "Home" promises e-mail one-time search,
    • "Notify me" promises e-mail notification, not registration
    • "Domain search" promises, well, one-time domain search.

    I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).

    Feature not recognizable when found

    On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title…

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  10. Remove captcha from the domain page

    Captcha is grotesequely unfair on people that have learning disabilities and is preventing me from properly using your service.
    Find an anti-robot mechanism that doesn't penalise real people with real problems.

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  11. Add MostRecentDate to Domain Search results

    When viewing Domain Search results, it would be helpful to have column containing the date of their most recent appearance in a breach data set. This would help prioritize password changes if the search results are larger.

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  12. Add a "Get all pastes for a domain" API endpoint

    Currently, HIBP offers a "Get all breached email addresses for a domain" API endpoint and a "Get all pastes for an account" endpoint, but no endpoint exists to search for all pastes for a domain.

    The domain search API endpoint is incredibly efficient (especially for enterprise customers), but it does not return known pastes for each account. This can be very painful for multiple reasons (not limited to):

    1.) Just because an account has NOT been seen in a third-party breach tracked by HIBP does NOT mean it hasn't been seen in a paste. This means we are seeing an…

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  13. Add Domain Connect to the "Verify by domain TXT record" method

    This way TXT record can be added automatically at GoDaddy, 123reg, 1&1 IONOS and few others. See https://www.domainconnect.org/dns-providers/

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  14. Breach and the accounts on your domains through API

    When there is a breach we get an email with the number of accounts for ur domains, then I can use the API to get the breacheddomain. But then I get alle the breaches for that domain, and I want to get only a specifiek breach. So you can search on domein and breach and then get the accounts regarding this.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  15. Domain Search Spam Filtering or Sorting

    After running a domain search there is some instances that you have a small number of "Addresses Excluding Spam" and a very high number of "All Breached Addresses".

    It would be super useful to be able to sort by Spam or Excluding Spam Addresses.
    Maybe a dropdown or a tickbox to be able to filter out the spam breached addresses.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  16. Update Zygna.com data breach information

    I've just been informed that the Zygna.com data breach included my phone number. Which, makes sense, since it is usually installed on mobile devices. You don't list phone numbers are part of the data breach.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  17. Notify email owner by phone text message

    Offer the flexibility for a user to enter all email addresses owned by the user along with a mobile number through which the user gets notified if any of the listed emails are pwned.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  18. show an example of the phone number layout for Facebook data search

    Like does it include dashes? spaces?
    example: +1 954-123-4567 or +19541234567?

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  19. Indicate which data classes were compromised for each record in a breach

    So yeah, when testing an email-address, if should be made clear in the returned results whether the full data (name, physical address, email) or only the email-adress was leaked.
    This is important because the ledger hack is more serious than many other to the security of those leaked.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  20. Fix captcha puzzle for IE11 users

    Currently the buttons at the bottom of the "check all images that have XXX" popup don't work on IE11. Can't Verify, refresh, get help, etc. Makes notifications impossible if the puzzle appears.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base