General
-
Anonymous statistics about the collected data
Just to satisfy our hunger for data and curiosity about lists of all kinds of things, it would be interesting if the massive amount of data HIBP was processed to produce new data. It doesn't need to be searchable like Shodan's or GreyNoise's (while this would be amazing we don't need to think too much to understand the implied risks) and should not disclose sensitive information, but even with this limitation in the way it would be presented to the public (and keeping in mind the growing adoption of GDPR and similar regulations around the world), there are several processing…
4 votes -
"Leak date" column in spreadsheet
It would be better if the spreadsheet with the leak records had a "leak date" column.
3 votes -
Add basic correlation logic to compare newly found pastes against current breaches...
Some sort of fuzzy matching & correlation with already posted breaches to see if the paste is just another re-post of the data from another known breach.
One way to do this is look for emails that have the + syntax, which typically means that the user has created a somewhat unique email for a particular service, company, etc
3 votes -
Show me an example of the response that is received when a phone number is sent to the breachedaccounts api endpoint
I am working on an application - I am unable to find a number that was in a breach. Can you please provide me an example response when a phone number is queried to the breachedaccounts api. I just need to look at the structure and the keys
3 votes -
Split up breach listing page
This page:
https://haveibeenpwned.com/PwnedWebsites#Facebook
Is surprisingly difficult to browse on mobile, because it's so very long.
The anchor link doesn't seem to always take you to the right section, because of the page length, at least on mobile. On desktop, it works fine though.3 votes -
Whitelisting to filter out notification on addresses appearing in most notifications
For large companies monitoring their appearances in notifications there are public addresses (like (info|support|help|contact)@<domain> which will may mean a team receives notifications for most new breaches, but for often singular results of these 'public addresses' in breaches not of concern.
3 votes -
Provide option to delete email addresses after unsubscribing from notifications
When unsubscribing from the notification service, the email addresses are still stored in the database. When you're going to re-subscribe, the email tells you that you already verififed the email address.
To comply with data minimization, an option should be given for record should be completely deleted when unsubscribing.
3 votes -
Request a company to be investigated for a breach
Although this was downvoted, I suspect some companies are not reporting their breaches or they do not know about them.
My most recent was EpicGames, which Have I been Pwnd (Password page) says my password has not been pwned. But it was pwned, and was used to access my Gmail, EpicGames and other sites.
I'm not sure what can be done - I think people like me can help collaborate in a way that can lead to discovering unreported breaches and whistle blow those companies to notify their users of breaches.
Why do I have to become a hacker to…
3 votes -
Opt-in again after opting-out
I know that these suggestions have appeared many, many, many times.
While it is currently possible to change your mind to another of the three points after you opt-out, it would be more useful and right to add the option to opt-in back. At least for new breaches.
One of the reasons is that 1Password Watchtower simply stops working for email searches.
3 votes -
Alert for physical address
Now Slickwraps has your address, notify the person.
(but how, how do you verify if a person owns the address? email and address in a past leak? (also could be abused))
3 votes -
Add % of p0wn count already in DB as new field in API
EG; https://twitter.com/haveibeenpwned/status/1180912324644888576 '87% of addresses were already in @haveibeenpwned'. In this case 87% of the 988k records were already in the DB. I can see the PwnCount, but not the % that was already in the DB, that's the attribute I'd like to be doing some querying on.
3 votes -
Options to Recover Hacked accounts
Ive been hacked on 3 personal computers, 1 Verizon phone and 2 burner phones almost immediately after activating them. It all happened at the same time. Then the burners 2 days in a row.
WTF is the point? Even my truck is hacked? Who hacks new phones so obviously with 0 information?
They hacked a 4th computer which is a corporate laptop for I'm a Fortune 500 company. "They got a little cocky with that one." Is anything available to recover several email accounts, photo galleries, apps, ect. That use the same email address?
They grouped photos and videos of…2 votes -
Add hover text to define "paste" and "paste accounts" on home page
I had to hunt around in About to learn what these were.
Thank you,
--Ben2 votes -
CSO need terms to be able to use HIBP in their company.
We have integrated HIBP api in some of our security tools in our company in order to estimate the probability of one of our client getting hacked if his email appears in many breaches.
We beta tested it, but our legal staff pointed out that we needed terms on the website to be able to use it, as the fact you only tell that you don't collect and store email that are searched (we do trust you but legal team don't work on trust :p) is not enough.
we got in touch with the french "national comity for IT liberty"…
2 votes -
For each of the download files, can you make available a sample file with 100 rows?
Instead of downloading the large file to see the file format, I would like to download a 100-row example. This would save bandwidth and allow someone to experiment with integrating the database into an app without having to download the very large example.
2 votes -
user submission of phish mails that charge bitcoin ransom by putting old password in subject
i got yet another mail with the same template of putting one of my previously used passwords that have been potentially obtained from one or more breaches.
there has to be a secure process that hibp can build for users if they can responsibly reset all the site logins where that password is used and maybe make hibp aware that there are breaches from where these credentials are obtained and perhaps get a way to be alerted to. user may take a decision if they want to continue with the service that was breached, regardless of changing the password.2 votesI definitely don’t want to end up in a position where HIBP has the power to reset people’s passwords. If I’ve misunderstood and you’re talking about flagging potential breaches instead, vote for this idea: https://haveibeenpwned.uservoice.com/admin/v3/ideas/34782007/
-
Alert when a new version of the file is uploaded
I would like to receive an alert when a new version of the file is uploaded
2 votes -
Stop address reuse. Set up a btcpayserver for bitcoin donations instead
I love your site. But for someone giving advice to not reuse passwords, its ironical that you have a static bitcoin address for donations. (FYI: I already donated, and I'll gladly do it again. This is just a tip)
"Address reuse" in bitcoin is problematic as it ties together funds in a way that reduces privacy and security for all involved parties.
Rather, each transaction should always be made to its own address. All modern wallets support this concept. Check out https://btcpayserver.org/ for a free, self-hosted, open source payment processor that is aligned with Bitcoin's (and your own) values of…
1 vote -
Notify Me does not accept phone number
Notify me has validation for email and does not accept phone number.
Ability to order notify by phone number also.
1 vote -
1 vote
- Don't see your idea?