General
119 results found
-
Mark Wii U ISO as a sensitive breach
Wii U ISO is a site that hosts illegal downloads of pirated video games. This include Roms & ISOs for Nintendo Switch, Wii U, and 3DS. The ability to upload or download games is only available for registered users.
Because having an account could link users to illegal software piracy, I would like to propose adding it to the list of sensitive breaches.
(Arguably, emuparadise should be marked as sensitive, as they previously distributed illegal ROMs)
8 votes -
8 votes
-
Few more detail on the breach needs to be included
Need few other details on the breaches that happened in the past. Its good we get the information details completely. The same is included in http://www.askmein.com/tools/have-i-been-pwned
7 votes -
Prevent the pwned passwords page from mirroring hashes to Azure App Insights
Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
[
{
"data": {
"baseData": {
"data": "GET https://api.pwnedpasswords.com/range/<hash>",
"duration": "00:00:00.100",
"id": "|<id>.<id>",
"name": "GET /range/<hash>",
"resultCode": "200",
"success": true,
"target": "api.pwnedpasswords.com",
"type": "Ajax",
"ver": 2
},
"baseType": "RemoteDependencyData"
},
"iKey": "<id>",
"name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
"tags": {
"ai.device.id": "browser",
"ai.device.type": "Browser",
"ai.internal.sdkVersion": "javascript:1.0.21",
"ai.operation.id": "HdzCf",
"ai.operation.name": "/Passwords",
"ai.session.id": "<id>",
"ai.user.id": "<id>"
},
"time": "2021-06-10T04:27:35.000Z"
}
]Is it really necessary to send hashes to this many parties?
7 votes -
Add a "Suspended" account button
I have been reported on 3 accounts that Tumblr accounts have been breached, one of them was in fact suspended for unknown reasons.
7 votes -
Add an API endpoint that returns a rate limited response
This would allow easy testing of code to properly handle a rate limit, without having developers intentionally exceed the rate limit in order to test.
https://api.pwnedpasswords.com/rate-limited/backoff
would return a 429 response with a Retry-After header with a a value = backoff. The backoff parameter is optional and if omitted you would return the default backoff seconds (2).It is unclear whether the v2 api is rate limited. You state when describing the V2 API that it is not, but the section regarding rate limiting in the API docs does explicitly state that it doesn't apply to the V2 API. This…
7 votes -
Improve Domain Verification UX — Allow Pending State and Re-Verification Instead of Immediate Failure
Description
When adding a new domain for monitoring via DNS TXT record, the verification fails immediately if the record hasn’t propagated yet. The modal shows:
“The TXT record was not found, you may need to allow some more time for DNS to propagate between adding it then verifying.”
After that, the domain doesn’t appear anywhere in the dashboard — there’s no “pending verification” state, no option to retry verification later, and each new attempt generates a new TXT record.
This means you can’t verify a domain that takes longer to propagate unless you keep the modal open for hours and…7 votes -
Add MostRecentDate to Domain Search results
When viewing Domain Search results, it would be helpful to have column containing the date of their most recent appearance in a breach data set. This would help prioritize password changes if the search results are larger.
7 votes -
Add the “Notify Me” element to API functionality
Add the “Notify Me” element to API functionality so that people can be automatically added to the monitoring (as well as the one off checks)
7 votes -
Remove captcha from the domain page
Captcha is grotesequely unfair on people that have learning disabilities and is preventing me from properly using your service.
Find an anti-robot mechanism that doesn't penalise real people with real problems.7 votes -
Make domain notification more salient
TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.
Feature not advertised in top bar labels
- "Home" promises e-mail one-time search,
- "Notify me" promises e-mail notification, not registration
- "Domain search" promises, well, one-time domain search.
I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).
Feature not recognizable when found
On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title…
7 votes -
Notify email owner by phone text message
Offer the flexibility for a user to enter all email addresses owned by the user along with a mobile number through which the user gets notified if any of the listed emails are pwned.
6 votes -
Update Zygna.com data breach information
I've just been informed that the Zygna.com data breach included my phone number. Which, makes sense, since it is usually installed on mobile devices. You don't list phone numbers are part of the data breach.
6 votes -
Breach and the accounts on your domains through API
When there is a breach we get an email with the number of accounts for ur domains, then I can use the API to get the breacheddomain. But then I get alle the breaches for that domain, and I want to get only a specifiek breach. So you can search on domein and breach and then get the accounts regarding this.
6 votes -
Add Domain Connect to the "Verify by domain TXT record" method
This way TXT record can be added automatically at GoDaddy, 123reg, 1&1 IONOS and few others. See https://www.domainconnect.org/dns-providers/
6 votes -
The possibillity to be able to exclude certain email addresses from future findings
As we have a lot of students I get quite a few notifications about breaches. Sadly I get notifications about accounts that do not exist within the organisation for already over 10 years. Yet the account details keep showing up at new breaches that seems to be selling extreme old details.
I can totally understand that you do not want to remove the count of the amount of breaches found. But it would be nice to be able to mute new findings for accounts that no longer exist. That saves us going thru long lists of accounts every breach. While…
6 votes -
Domain Search Spam Filtering or Sorting
After running a domain search there is some instances that you have a small number of "Addresses Excluding Spam" and a very high number of "All Breached Addresses".
It would be super useful to be able to sort by Spam or Excluding Spam Addresses.
Maybe a dropdown or a tickbox to be able to filter out the spam breached addresses.6 votes -
Permit multiple addresses to be searched at one time
Allow multiple email addresses from different (or same) domains to be searched at one rime. I have multiple email addresses myself and manage email addresses for various other activities e.g. supporting my elderly mother and charitable work.
5 votes -
Ignore pastes over two years old
Ignore pastes that are I suggest more than two years old if the email address hasn't been pwned in that time as it's highly unlikely to become pwned after that time. Leaving it in for a pwned account gives a clue to the source of becoming pwned
5 votes -
show an example of the phone number layout for Facebook data search
Like does it include dashes? spaces?
example: +1 954-123-4567 or +19541234567?5 votes
- Don't see your idea?