Skip to content

General

229 results found

  1. Make it possible to opt-out ex-employee addresses from domain search.

    It would be nice to have an option to opt-out addresses of ex-employees from domain searches.

    For exampel: I have a domain with 1200+ Apollo results. A lot (75%) of those addresses don't excist anymore. I have no problem with paying for HIBP (love the service), but 75% of the data isn't relevant anymore.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    There are a number of reasons why this isn't a path I want to take, starting with philosophical: a data breach is an immutable event in time and HIBP is intended to represent that event as accurately as possible. Whether someone still works for the company or not doesn't change their exposure at that point in time in the past.


    I also don't want to get into a cycle of effectively using HIBP as a triage service. I've had lots of requests in the past to do things like provide the ability to flag an address as having been reviewed post-breach and that's something that really should happen on the org side. This request is comparable to that insofar as the org would be changing the state of data in HIBP on the basis of what's happening internally within their company.


    Hope that makes sense.

  2. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  3. HOSTINGER.COM HAD A DATA BREACH

    I’m not lying, I got an email from them. Here is the blog post about it:
    https://www.hostinger.com/blog/security-incident-what-you-need-to-know/

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  4. Interpret all permutations of an email address (period seperations, +filters)

    Gmail will ignore periods in an email when it comes to rounding. So email@gmail.com and e.mail@gmail.com will both go to the same address. Someone might want to use the email because it lets them filter those messages from within Gmail.

    I tested it, and as of right now, haveibeenpwned sees them as seperate emails which may give users a false sense of security.

    Develop a way to find all permutations of an email based off of their filterless email address.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    declined  ·  2 comments  ·  Admin →
  5. Add the recent 500K password breach for Fortinet VPNs

    With the recent revelation of the 500K+ passwords that were scraped from Fortinet VPNs all over the world, it would be of incredible value to be able to check if several deployments were caught up in the breach (by checking a few usernames). Thanks for the great work!

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
  6. Remove password which is pwned on small and don't see in long time.

    First time i have check my password, it was not pwned.
    Second time, just after first time some days, it was pwned with "seen 1 time before".
    This is no problem until now, but when github start using your api to check password and force i give up my good password!
    So please remove password which "seen 1 time before", or at least make a feature that auto remove password from your database if it is not pwned or less pwned in long time.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  7. Tell the simple steps to get out of these problems who does not know the technology.

    Tell the simple steps to get out of these problems who does not know the technology, how to get out of pwning his/her email or some other account. Dr N C Ghatak.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  8. How to Delete reported pwnage: Good news and Bad ews

    make a deletion of these reports if you have seen it already....

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  9. Make the bitcoin-related sites sensitive

    Otherwise, users of bitcoin could be targeted in order to steal their bitcoins (as they are worth so much right now).

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The criteria I use for sensitive breaches is that the public discoverability potentially causes harm; adult websites, for example, have a social stigma.

    An increased likelihood of phishing is common to all breaches and at present, I don’t feel that a site merely being financial in nature is sufficient to categorise it along with the likes of Ashley Madison.

  10. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  11. Version Pwned Password API

    Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?

    Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    At this stage there’s no plan to version the Pwned Passwords API an it’ll continue to run independently to the APIs for searching breaches.

    See the “last-modified” response header on the API if you’re looking to identify when the data is current as of.

  12. Affected Service Warnings for various breach types

    With the most recent Telegram Combolost breach, a feature I think a wide variety of people would use is the ability to know exactly what services their email and password combination were breached in so they can immediately change them.
    The best way of doing this would be sending HIBP subscribers an email with the the lines in the Combolist (Obviously with the password or other secure information redacted)

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  13. Filter known breaches and pastes in the API

    It would be nice if we could pass a set of breach names into the https://haveibeenpwned.com/api/v3/breachedaccount and a set of paste data into https://haveibeenpwned.com/api/v3/pasteaccount and have them only provide results for the breaches and pastes not on the list, basically something like ?exclude=thing1,thing%20two for breachedaccount and something like ?exclude=%7B%22PasteBin%22:%20[%22123%22,%22456%22],%22Pastie%22:%20[%22abc%22]%7D for pasteaccount.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    That sounds like something you could easily filter on the client end: request the data for an account then remove all items that don’t match what you’re looking for. There’d be no performance benefit doing it on the HIBP end as the query presently just picks up an entity (the account being searched for) and returns it in its entirety.

  14. search by hash to be EU GDPA laws compliant

    As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
    I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
    THX for your work

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  15. Please get rid of the download tool

    Bit torrent was fine, Now I do not even know which version is the current one before downloading all the stuff. No delta download: So this will increase used bandwith on both sides (me and you)

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The torrent wasn't fine, it was a stagnated point in time that never evolved. If you want that then just pull down the current version and never update it again. If you want to stay current and not regularly update, then use the k-anonymity API.


    And FWIW, 99.9999% of requests to the API, either directly from apps or via the downloader, are served by Cloudflare cache and have zero impact on us in terms of bandwidth.

  16. Screen out fake email addresses

    Right now the service you offer shows more than 170 email addresses from my domain. All of them are fake and never existed as there are less than 10 real accounts on my domain. These fake accounts push me into the paid subscription level where if it only looked at the real accounts it’d be free. Can this be remedied? Maybe allow marking of real accounts and all others considered fake?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)

    The challenge we have is that there is no viable mechanism to establish whether an account is “real” or not. So long as an address adheres to a valid set of characters and structure, there’s nothing beyond that we can do. To mitigate the risk, breaches flagged as spam lists are excluded from the count used to calculate the required subscriptio. More here: https://support.haveibeenpwned.com/hc/en-au/articles/7680371776399-Can-email-addresses-be-removed-from-a-domain-thus-reducing-the-subscription-level-required

  17. Add a leaderboard of the most pwned accounts

    It would be amazing if you could see which accounts have the most pwns and how many

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  18. Classify domain tiers differently

    I have a personal domain and use a unique email address whenever signing up to a website, so I can easily block it if it gets leaked and starts receiving spam (it also makes it easy to know which site the leak came from). I'm only a single user but would be treated as a moderate sized company according to the new classifications.

    I understand the desire to classify domains and charge different pricing for them. I also appreciate that my arrangement is somewhat unusual and that your approach no doubt works for the majority of cases, it just feels…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  19. Catch all

    Implement support for catch all email addresses. I use a different mail address per website I register to. Its all on the same domain that is configured to support catch all e-mail. In theory I could use an UUID email adres per website.

    In order to proof you are the owner you could send a verification mail to a random mailadres for the given domain.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
  20. Add database of passwords longer than 8 characters

    With the new NIST guideline of 8 character minimum password length, it would be useful to have a database of only passwords 8 characters or longer. My assumption is that this would reduce the size of the database significantly.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base