General
117 results found
-
Add the ability for a domain owner to view and unsubscribe any currently setup domain subscription
A domain subscription checker (done with similar verification to the domain verification links) would enable the domain owner to check only current employees have have access to the information, and to revoke any incorrectly or outdated subscriptions on the domain without having to have access to each destination mailbox
From personal mistake:
I've subscribed for domain alerts, copied the verification token and authorised before it took me back to a screen that showed I'd mis-spelt the notification email address hostname! That means someone else now is approved to see full domain level summary.As the notification email address is different…
8 votes -
Summarise the breach info at the top of domain wide searches
When you search across a domain at present, the breach name is listed next to each impacted account but it's not clear when it happened or when it was loaded into HIBP. It might not make sense to list this info next to every single breached account in the list, but a summary at the top of the page listing key attributes of each relevant breach would be handy.
8 votes -
Add MostRecentDate to Domain Search results
When viewing Domain Search results, it would be helpful to have column containing the date of their most recent appearance in a breach data set. This would help prioritize password changes if the search results are larger.
7 votes -
Add the “Notify Me” element to API functionality
Add the “Notify Me” element to API functionality so that people can be automatically added to the monitoring (as well as the one off checks)
7 votes -
Make domain notification more salient
TL;DR: Make domain-level notification (1) more obvious to find and (2) more salient in the registration form.
Feature not advertised in top bar labels
- "Home" promises e-mail one-time search,
- "Notify me" promises e-mail notification, not registration
- "Domain search" promises, well, one-time domain search.
I suggest you add either a separate label on top bar with a separate form. Or change existing "Domain search" into "Domain search+notification" (yes, it's longer, so see other suggestion below).
Feature not recognizable when found
On https://haveibeenpwned.com/DomainSearch there is only one salient title "Domain search / Search for pwned accounts across an entire domain". No title…
7 votes -
Few more detail on the breach needs to be included
Need few other details on the breaches that happened in the past. Its good we get the information details completely. The same is included in http://www.askmein.com/tools/have-i-been-pwned
7 votes -
Full email service for companies to help CISOs
Hello,
I'm using Have I been Pwned to find out unsealed email accounts and passwords for our company domain and I'm very pleased about this service.
But to make life easier I suggest the following service:
1) I sign in at Have I Been Pwned.
2) I type in and confirm all domains of my company
3) I define a text to inform my users about a possible problem, that their passwords are maybe lost.
4) I accept the actual status of unsealed account information as the base line
5) If new breaches of user accounts will occur Have I…7 votes -
Add a "Suspended" account button
I have been reported on 3 accounts that Tumblr accounts have been breached, one of them was in fact suspended for unknown reasons.
7 votes -
Add an API endpoint that returns a rate limited response
This would allow easy testing of code to properly handle a rate limit, without having developers intentionally exceed the rate limit in order to test.
https://api.pwnedpasswords.com/rate-limited/backoff
would return a 429 response with a Retry-After header with a a value = backoff. The backoff parameter is optional and if omitted you would return the default backoff seconds (2).It is unclear whether the v2 api is rate limited. You state when describing the V2 API that it is not, but the section regarding rate limiting in the API docs does explicitly state that it doesn't apply to the V2 API. This…
7 votes -
7 votes
-
Remove captcha from the domain page
Captcha is grotesequely unfair on people that have learning disabilities and is preventing me from properly using your service.
Find an anti-robot mechanism that doesn't penalise real people with real problems.7 votes -
Add Domain Connect to the "Verify by domain TXT record" method
This way TXT record can be added automatically at GoDaddy, 123reg, 1&1 IONOS and few others. See https://www.domainconnect.org/dns-providers/
6 votes -
Notify email owner by phone text message
Offer the flexibility for a user to enter all email addresses owned by the user along with a mobile number through which the user gets notified if any of the listed emails are pwned.
6 votes -
Add a "Get all pastes for a domain" API endpoint
Currently, HIBP offers a "Get all breached email addresses for a domain" API endpoint and a "Get all pastes for an account" endpoint, but no endpoint exists to search for all pastes for a domain.
The domain search API endpoint is incredibly efficient (especially for enterprise customers), but it does not return known pastes for each account. This can be very painful for multiple reasons (not limited to):
1.) Just because an account has NOT been seen in a third-party breach tracked by HIBP does NOT mean it hasn't been seen in a paste. This means we are seeing an…
6 votes -
Domain Search Spam Filtering or Sorting
After running a domain search there is some instances that you have a small number of "Addresses Excluding Spam" and a very high number of "All Breached Addresses".
It would be super useful to be able to sort by Spam or Excluding Spam Addresses.
Maybe a dropdown or a tickbox to be able to filter out the spam breached addresses.6 votes -
Breach and the accounts on your domains through API
When there is a breach we get an email with the number of accounts for ur domains, then I can use the API to get the breacheddomain. But then I get alle the breaches for that domain, and I want to get only a specifiek breach. So you can search on domein and breach and then get the accounts regarding this.
6 votes -
Update Zygna.com data breach information
I've just been informed that the Zygna.com data breach included my phone number. Which, makes sense, since it is usually installed on mobile devices. You don't list phone numbers are part of the data breach.
6 votes -
Return usernames/email addresses with Pwned Passwords api by using a k-Anonymity model
The chances for old email addresses to be listed in a breach is very high. After some decades of use the email address occurs in a breach with a hopefully old password and is used with new passwords currently.
Thus, it would be great if I could test if a specific username – password combination has been listed in a breach. As far as I understand the API this isn’t possible at the moment.
The relating email addresses could be returned after the number of breaches in the api.pwnedpasswords.com return value. This approach has the problem that foreign email addresses…5 votes -
show an example of the phone number layout for Facebook data search
Like does it include dashes? spaces?
example: +1 954-123-4567 or +19541234567?5 votes -
Prevent the pwned passwords page from mirroring hashes to Azure App Insights
Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
[
{
"data": {
"baseData": {
"data": "GET https://api.pwnedpasswords.com/range/<hash>",
"duration": "00:00:00.100",
"id": "|<id>.<id>",
"name": "GET /range/<hash>",
"resultCode": "200",
"success": true,
"target": "api.pwnedpasswords.com",
"type": "Ajax",
"ver": 2
},
"baseType": "RemoteDependencyData"
},
"iKey": "<id>",
"name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
"tags": {
"ai.device.id": "browser",
"ai.device.type": "Browser",
"ai.internal.sdkVersion": "javascript:1.0.21",
"ai.operation.id": "HdzCf",
"ai.operation.name": "/Passwords",
"ai.session.id": "<id>",
"ai.user.id": "<id>"
},
"time": "2021-06-10T04:27:35.000Z"
}
]Is it really necessary to send hashes to this many parties?
5 votes
- Don't see your idea?