General
119 results found
-
Prevent the pwned passwords page from mirroring hashes to Azure App Insights
Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
[
{
"data": {
"baseData": {
"data": "GET https://api.pwnedpasswords.com/range/<hash>",
"duration": "00:00:00.100",
"id": "|<id>.<id>",
"name": "GET /range/<hash>",
"resultCode": "200",
"success": true,
"target": "api.pwnedpasswords.com",
"type": "Ajax",
"ver": 2
},
"baseType": "RemoteDependencyData"
},
"iKey": "<id>",
"name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
"tags": {
"ai.device.id": "browser",
"ai.device.type": "Browser",
"ai.internal.sdkVersion": "javascript:1.0.21",
"ai.operation.id": "HdzCf",
"ai.operation.name": "/Passwords",
"ai.session.id": "<id>",
"ai.user.id": "<id>"
},
"time": "2021-06-10T04:27:35.000Z"
}
]Is it really necessary to send hashes to this many parties?
5 votes -
Developer mailinglist to notify of API changes
As a developer & maintainer of a HIBP package / library, keeping it up to date currently requires constantly checking the API documentation in its entirety to discover any changes. This isn't always obvious and inefficient.
I would like to see either a mailing list that developers can subscribe to, or some other kind of notification (at minimal, at least a public changelog that can be read, but preferably something that would alert to the fact that changes have been made) that can be easily parsed to determine:
- If there have been any changes to the API
- What those changes…
4 votes -
Differentiate hashed and plaintext passwords in the data classes
Split the "Passwords" data class into "Hashed Passwords" and "Plaintext Passwords", or simply add the new types. This would allow for different actions to be taken based on the breach data. I think the plaintext identifier would be more important as a flag, and it should be used to also signify easily resolved hashes. (Maybe Passwords is the current hashed/encrypted/plain, and Plaintext is when text has been recovered)
4 votes -
Notify Me does not accept phone number
Notify me has validation for email and does not accept phone number.
Ability to order notify by phone number also.
4 votes -
Fix captcha puzzle for IE11 users
Currently the buttons at the bottom of the "check all images that have XXX" popup don't work on IE11. Can't Verify, refresh, get help, etc. Makes notifications impossible if the puzzle appears.
4 votes -
Implement test API Key for automated domain search tests
I've created a little python tool that queries the hibp domain search for verified domains and breaches related to aliases of this domain. It then saves them to a csv-file.
Link to the project: https://github.com/security-companion/hibp-harvester
In order for better quality I would like to add automated testing via github actions. So my question is if you could provide a test-API key that has some domains subscribed with some breaches in the aliases so that I could query these and by this make sure code is still good when I change something.
For creating the tool I made a subscription and…
4 votes -
Google Analytics?
I'm a European Data Privacy Officer and in my applications I don't allow any tracking cookies. Can you prove a - maybe paid - service without Google Analytics?
Thanks
Bernd4 votes -
Indicate which data classes were compromised for each record in a breach
So yeah, when testing an email-address, if should be made clear in the returned results whether the full data (name, physical address, email) or only the email-adress was leaked.
This is important because the ledger hack is more serious than many other to the security of those leaked.4 votes -
Add Telegram Bot
Add a official Telegram Bot to receive updates directly from Telegram about phone numbers (actually not present) and emails that are leaked.
4 votes -
Anonymous statistics about the collected data
Just to satisfy our hunger for data and curiosity about lists of all kinds of things, it would be interesting if the massive amount of data HIBP was processed to produce new data. It doesn't need to be searchable like Shodan's or GreyNoise's (while this would be amazing we don't need to think too much to understand the implied risks) and should not disclose sensitive information, but even with this limitation in the way it would be presented to the public (and keeping in mind the growing adoption of GDPR and similar regulations around the world), there are several processing…
4 votes -
Add basic correlation logic to compare newly found pastes against current breaches...
Some sort of fuzzy matching & correlation with already posted breaches to see if the paste is just another re-post of the data from another known breach.
One way to do this is look for emails that have the + syntax, which typically means that the user has created a somewhat unique email for a particular service, company, etc
3 votes -
different Payment methods,
Since Creditcard is not commonly used in some parts of the world, adding PayPal for example could create Access for more Companies.
3 votes -
Split up breach listing page
This page:
https://haveibeenpwned.com/PwnedWebsites#Facebook
Is surprisingly difficult to browse on mobile, because it's so very long.
The anchor link doesn't seem to always take you to the right section, because of the page length, at least on mobile. On desktop, it works fine though.3 votes -
Whitelisting to filter out notification on addresses appearing in most notifications
For large companies monitoring their appearances in notifications there are public addresses (like (info|support|help|contact)@<domain> which will may mean a team receives notifications for most new breaches, but for often singular results of these 'public addresses' in breaches not of concern.
3 votes -
Add % of p0wn count already in DB as new field in API
EG; https://twitter.com/haveibeenpwned/status/1180912324644888576 '87% of addresses were already in @haveibeenpwned'. In this case 87% of the 988k records were already in the DB. I can see the PwnCount, but not the % that was already in the DB, that's the attribute I'd like to be doing some querying on.
3 votes -
Request a company to be investigated for a breach
Although this was downvoted, I suspect some companies are not reporting their breaches or they do not know about them.
My most recent was EpicGames, which Have I been Pwnd (Password page) says my password has not been pwned. But it was pwned, and was used to access my Gmail, EpicGames and other sites.
I'm not sure what can be done - I think people like me can help collaborate in a way that can lead to discovering unreported breaches and whistle blow those companies to notify their users of breaches.
Why do I have to become a hacker to…
3 votes -
Trial/Demo data to test against companies SIEM systems
There is no possibility to test the API against a companies solution without buying the cheapest version. The problem is, that in some companies it is not possible to buy a solution just to test if it works for them.
3 votes -
Alert for physical address
Now Slickwraps has your address, notify the person.
(but how, how do you verify if a person owns the address? email and address in a past leak? (also could be abused))
3 votes -
CURL script for documentation
The API call documentation is not clear. Can you guys just use CURL command line for documentation or Postman?
3 votes -
Show me an example of the response that is received when a phone number is sent to the breachedaccounts api endpoint
I am working on an application - I am unable to find a number that was in a breach. Can you please provide me an example response when a phone number is queried to the breachedaccounts api. I just need to look at the structure and the keys
3 votes
- Don't see your idea?