General
56 results found
-
Don't Just Tell Me That SOMEONE In My Domain Has Been Pwn3d, Tell Me Who
I got an email, this morning, from HIBP, that someone on one of my domains had their account hit in the linkedIn hack, but the address was not listed in the email. It would be nice to know who that was, instead of having to test every single address in this domain to find out.
1 votePer the comment here, follow the link in the email received to run another search. Impacted addresses are never sent via email for privacy purposes.
-
API option to only return whether an account is breached or not
At the moment when querying an email address, the names of the sites breached are returned, in some circumstances this may not be desirable due to local legislation. Is it possible to have an API option to return whether an account has been involved in a breach or not rather than names of breached services?
1 vote -
Add a FAQ explaining what it means when a USERNAME that IS an e-mail address, appears on a Web site that you have never used.
There is a FAQ explaining that a non-email userid can appear as a breach from a site that you have never used, because of collisions (others reusing the same e-mail address). I have an e-mail address that I have used for 20 years, which shows up in the MYSPACE and also the BITTORRENT FORUM breaches. I have never used either of these sites. A FAQ saying how this is possible would be welcomed.
1 voteGreat suggestion! Done: https://haveibeenpwned.com/FAQs#UnknownService
-
Fix this bug: Different results of same e-mail
When I check my e-mail using the website https://haveibeenpwned.com/ it shows "Good news — no pwnage found!".
Then I clicked on "Notify me when I get pwned". I received an e-mail with an URL to confirm and, when I click this url, it opens the same site showing "Already verified" but right below "Oh no — pwned!" with one specific site that makes sense.
1 voteYou’re seeing a result when you click the verify link that’s been flagged as “sensitive”. It’s likely an adult website – these are not shown for public searches of an address.
-
Add potential causes for the 503 response.
A 503 response is given for a single query to the breached account api, but not the pwnedpassword api.
1 voteI’ve just added into on the 503 status here: https://haveibeenpwned.com/API/v2#RateLimiting
Per the existing documentation, there are no rate limits on the Pwned Passwords API.
-
Have a FAQ that explains breached passwords to users in easy to understand language
It would be nice if we had a FAQ that we could link to when checking a password against hipb, when a password is found in the list to explain to users what this means in simple terms. E.g. The password you've chosen was found in a list of passwords that have been hacked from a website in the past. We highly recommend not using such a password anywhere because it means that your account's security is extremely weakend. For more information, please read [some more detailed FAQ]
1 voteGreat idea, done! Try this: https://haveibeenpwned.com/FAQs#PwnedPasswordFound
-
haveibeenpwned.com/api
I now get this"You have been blocked from accessing this resource on Have I Been Pwned" when using the URI for account checking. I tried it on 3 systems (IPs) and get the same result
https://haveibeenpwned.com/api/v2/breachedaccount/test@test.com?truncateResponse=true
Is this because of the test@test.com?
1 voteIf you’re accessing the API, make sure you adhere to the requirements, particularly around the UA string: https://haveibeenpwned.com/API/v2#UserAgent
-
Search by email address domain?
I have my own domain with a catch-all service. Every website I register get's a different mail address which makes it easier to block addresses that receive spam (after a leak) and to check if the sender is really the sender. Checking each mail address individually is time consuming, can I somehow check all mailaddresses ending with my specific domain?
1 voteTry the domain search link on the website.
-
V5 files contain seeded hashes?
The latest V5 password files sorted by hash come up negative with all tested passwords. It looks like the hashes are seeded or non-standard. This applies to both SHA1 and NTLM files of version V5.
1 vote -
Allow CSIRTs to be able to monitor their constituents domains
CSIRTs use to monitor their customers domains in order to warn them about potential breaches, vulnerabilities and incidents related to them. It should be good to allow CSIRTs covering a large constituency (like national CSIRT, industry CSIRTs, Academic CSIRTs) to be able to monitor their constituents domains by accessing the info in a convenient way (by signing, for example, an NDA, compromise, etc)
1 voteThis is already possible via Enterprise services, get in touch for more: https://www.troyhunt.com/contact/
-
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
1 voteUpdated the FAQs today, have a look at the first one here: https://haveibeenpwned.com/FAQs
-
Provide further evidence to validate how secure this site is
Given the fact a lot of users who come to this site may already be "super" worried about putting their email address "anywhere" online due to the fact they will have come to this site pretty much following a data breach story and / or because their own account has been compromised, without giving too much away to those that like to hack, would very much appreciate a way in which you could prove an email address is not stored for a user to feel relieved / happy they can use your site confidently and enter an email address.
I…
1 voteI honestly can’t see what more I can do beyond what’s already here: https://haveibeenpwned.com/About
Beyond that, all I can add is “don’t share anything with a service you don’t trust” 🤷♂️
-
Cannot do payments from debit card for one time.
You should add debit cards also in payment and upi.
1 votePayment via debit card is already supported.
-
Being able to clear the history of breaches.
I would love to be able to clear the breached websites that my email adress has. I think this would be a great addition to the opt-out feature.
1 voteThis is pretty much what one of the opt-out options already does: “delete all data breaches against my email address”.
-
top list of worst passwords.
Not sure how prevalent very popular passwords are, so Id suggest if possible, it would be a real nice feature to see the worst offenders in order of most reused.
For instance "password", is its millions of instances actually #1 or is something else more prevalent?
Seeing the worst of the worst in terms of commonality/instances of use would be a nice tool for average users to gauge just exactly how bad that "Password1!" workaround really is.
1 voteTry this list from the NCSC: https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
-
automatation / ml / nlp for surfacing "sensitive" breach
Curious about your thoughts on using some sort of automation / aggregation / ML to help classify what constitutes a "sensitive" breach, and also what the most up-to-date state of "sensitive breach" classification logic is.
Would also be great to have an easy-to-find and up-to-date list of what those sites are.
1 voteThis is already available on the website under the breach description here: https://haveibeenpwned.com/PwnedWebsites
Or via the API here: https://haveibeenpwned.com/API/v3#AllBreaches
- Don't see your idea?