General
229 results found
-
Opt out till next breach
I saw a breach on my email, I've strengthen the security, logout services and stuff.
I would like to opt out now. And come in a later date and see if have new breaches.Because this way, I can rest that my new security changes are working, instead of doesn't matter if strengthen the security or not, I still see the breach result
3 votesYou can do this already: https://haveibeenpwned.com/OptOut
-
3 votes
I am in no way supportive of private class actions in the vast majority of cases and do not want to do anything to encourage them. Full blog post coming this week.
-
Domain search
I own several domains and I would like to check any email adress with that domain.
Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk3 votesThis read like a personal request for verification with a non-standard alias. HIBP already provides a mechanism for domain verification using standard administrator email addresses.
-
Insert Breach's "Permalink"
Can you please insert the breach's "Permalink" returned by the API?
For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".
3 votesYou can already derive this from the breach name: https://haveibeenpwned.com/PwnedWebsites#{breach name}
-
Add a captcha
Because people often use the same user and password combination on multiple sites. If you can search here if you have an account on multiple sites, others can too. If you can slow down automatic search, abusers can be scared away
3 votesA CAPTCHA implementation poses an unacceptable usability barrier whilst providing little practical benefit and would entirely break the API implementation.
-
Provide a open sourced version of the PB scraper for users to run at home and tinker with.
Title explains it.
3 votesHIBP gets the paste feed from Dumpmon which is already open-sourced here: https://github.com/jordan-wright/dumpmon
-
Add as a FAQ how Pwned Passwords aligns with Google's new Safety Check
Google now detects some email / password combo breaches. Google doesn't have any more detail on when / what / where. What might explain any difference w Pwned Passwords?
3 votesTotally different services, I’m unsure whether Google uses and data from HIBP or just sources it all themselves.
-
Domain Search Email Validation Not Working
I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.
3 votesThis site is used for feature requests, not support. If you’re not receiving emails it’ll be because your mail server is blocking them.
-
Include leaked password
You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.
I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?
3 votesThis presents too many risks, more info here: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/
-
search by hash to be EU GDPA laws compliant
As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
THX for your work3 votesThis has already been raised and declined here: https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/8234421-allow-users-to-search-for-an-email-address-by-hash
-
HOSTINGER.COM HAD A DATA BREACH
I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/3 votesThis UserVoice is for feature suggestions. Please contact me here if you have data to load: https://www.troyhunt.com/contact/
-
Feature that allows you to search for all the sites your email has been used to create a log in for
I would like to know which websites I have created a username on with my email address so that I can access them and manage the passwords for them. at this time, I can only manage the ones I REMEMBER using my email to sign up with, but I know there are probably hundreds out there that I have created login credentials for because just about every site or out there requires you to create an account in order to use it.
I want to protect those accounts BEFORE I know a breach has occurred so there are no surprises.
3 votesThis is what a password manager does! Here you go: https://haveibeenpwned.com/1Password
-
Site pwned notefull.com
https://pastebin.com/JhbQGea2
a bunch of passwords3 votesAdded to HIBP as a paste, closing this as “declined” as User Voice is typically meant to be for new ideas
-
Add Retry-After to Access-Control-Expose-Headers
When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.
3 votesIf the 429 is raised by the origin web server, you’ll get a retry-after. If you’ve been absolutely hammering the service and Cloudflare steps in and rate limits, you won’t get a retry-after from them.
-
consider social security numbers?
What potential is there to provide data on SSN that have been exposed in a breach? This seems much more borderline dangerous, but curious about of you've given any thought and the problems / possibilities you see.
3 votesAmerican social security numbers are considered sensitive personally identifiable information and I don’t intend to store them in HIBP.
-
Remove password which is pwned on small and don't see in long time.
First time i have check my password, it was not pwned.
Second time, just after first time some days, it was pwned with "seen 1 time before".
This is no problem until now, but when github start using your api to check password and force i give up my good password!
So please remove password which "seen 1 time before", or at least make a feature that auto remove password from your database if it is not pwned or less pwned in long time.3 votesThat’s not a reason to remove the password, that’s a discussion you should have with GitHub about what threshold to block a password at.
-
Cit0day - is it possible to include the site(s) whose lists an email appeared in?
In the alert email for the Cit0day breach, the only information provided is that one's email appeared somewhere in the breach of the 23k websites. If it's possible, it could be helpful for users to be informed of which specific site(s) their credentials were listed under.
I fully grant the larger point about encouraging the use of a password manager to mitigate the risk regardless. Thanks! :)
3 votesHIBP only matches an email address to a single “breach” (which is what the Cit0day collection is treated as) and doesn’t have a provision to add any additional data such as which file the email address appeared in.
-
Catch all
Implement support for catch all email addresses. I use a different mail address per website I register to. Its all on the same domain that is configured to support catch all e-mail. In theory I could use an UUID email adres per website.
In order to proof you are the owner you could send a verification mail to a random mailadres for the given domain.
3 votesThis feature already exists, it’s under the “Domain search” link in the nav.
-
improvements to domain search for bigger companies
At thousands of employees, the usability of the domain search falls off a cliff. Here's some of the problems I'm seeing and what would improve my usecase significantly.
problems:
1) email and personal data leaks are a spam/phish/identity problem: password leaks are a direct attack liability
2) company has been around for a decade, thousands of employees, list of leaks and affected users by any of the leaks is long and unwieldy
3) constantly investigating users that are no longer activepotential improvements:
1) focus on password leaks as a higher level of leak than just email and/or personal data…3 votesThis really goes beyond the purpose of HIBP and starts to get into the internal triage processes of your organisation. The intention is to provide the data as I’ve been able to obtain it then the consumer works out what to do with it; which ones are serious (it differs by org), which addresses are still relevant (definitely not something I want to track), and what actions have been taken for an individual breach. APIs exist for you to handle this in conjunction with the domain search.
-
Create or Develop an App for this website name as app name called "Have I Been pwned?/HIBP"
Make it easier to trace in phone if someone is trying to pwned you by opening the App, then boom you know quickly already the updates about your account.
3 votesJust bookmark this page (change the address accordingly): https://haveibeenpwned.com/account/test@example.com
- Don't see your idea?