General

  1. Include email addresses (or some info) for domain notifications

    If you're doing a domain notification (notifying of any info for your domain that becomes compromised), you'd like to relay concerns to your users when those alerts come up. Right now, we're just getting a number of accounts, rather than the actual specifics. Even listing email addresses would help.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    declined  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add wpengine.com breach

    There was a breach on wpengine.com, maybe data about accounts will be available somewhere
    https://wpengine.com/support/infosec/

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Charge for the service

    Good service but I think you need $ to improve it.
    A user could be charged a small amount, around €1, for the release of information related to a security breach.
    The basic account could be free but the user would have to pay for advanced services.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. RSS feeds not working/validating

    Thunderbird refuses to open either your breaches or pastes RSS feeds, claiming failed validation. The w3c feed validator fails both: https://validator.w3.org/feed/
    Whether they are broken or not is beyond my experience :-)

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    declined  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Please reconsider including leaked password in Notification Emails. Consider letting users opt in.

    Your users should treat this password as public information, as should you. If you are concerned about storing this information, then delete the leaked passwords once the notification emails have been sent.

    The beneficial impact of all users knowing exactly which of their passwords have been leaked is likely much greater than the dangers of your copy of the passwords being leaked since these passwords are already in the open and should be treated as public information.

    If you still feel against this, then please at least make it an opt in option. Let people opt in to agreeing to…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    It’s just too risky to handle this sort of data in a publicly facing service and not be able to store it as a secure cryptographic hash. Opting in would made a large amount of additional work to service a very small portion of the overall accounts in a breach.

  7. Somehow add suspected breaches

    Since I use a seperate email address for every domain I register for (forum/webshops) I have a fairly good picture of breached sites (currently many forum sites). Is there a way to add/investigate/report these?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. when I enter capital letter in domain name it is not working. Please make it case sensitive

    when I enter capital letter in domain name it is not working. Please make it case sensitive

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  10. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Why did I receive an email indicating pwned on the JustDate fabricated breach, but when I search from the Home page, not listed?

    Why did I receive an email indicating pwned on the JustDate fabricated breach, but when I search from the Home page, only the Linkedin breach is noted? Is it possible that the email was spoofed? It looks almost exactly like the one i received when you posted the Linkedin breach. I suspect many others are in this same situation. Esp. if the Justdate breach was indeed 24 million people as the email indicated. Thanks.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. use a protocol on your website that is properly supported.

    In all versions of Google Chrome I am now advised;

    This site can’t provide a secure connection

    haveibeenpwned.com uses an unsupported protocol.
    ERRSSLVERSIONORCIPHER_MISMATCH

    The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.

    So, why can't you use a proper protocol?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    I’m as close to certain as possible that this is a problem at your end, there’s been a heap of traffic through the site today and yours is the only mention of this. TLS termination is done at Cloudflare and nothing has changed configuration wise.

  14. What is LogoType?

    Can you describe what the intended use of the LogoType field in the Breach object is? I can't find anything in the API docs that describes the field. I know what SVG and JPG are, but to what do they refer? Do you have (or plan to have) an API that will return a logo for the name of a breach? I can see from the source of your web pages that you have that data in the content folder

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Bring back sorted hashes

    I used to lookup password hashes by a binary search in the sorted password list (iterating over the initial database and the 2 updates).

    With the new database 2.0 this is no longer possible (unless I sort the downloaded hashes).

    Please bring back the sorted hashes.

    I do not care for the counts that have been added - perhaps another file with sorted hashes and without counts (to somewhat reduce the file size) could be offered for download?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. explain in the FAQ why a mail address (mine!) appears as hacked in your tool, but the associated password is not listed as hacked?

    Does it mean that the e-mail adress was hacked, but that the associated password was not decrypted? If not, why the password is not found in your database? Thanks.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  17. Not very smart features

    I've changed my password but my mail remain in the list. When my account will be "pwned" again, I will not know about it.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. To use hashed email address as part of the query instead of HTML encoded

    I don't know if this is already available, but I feel it will be a better idea.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. 1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  20. Confused by Gravatar notification

    You tell me that one of my accounts have been Pwned through the Gravatar scrape - but i've never used it or any of the associated companies mentioned. So how would my email even be on there? And, if it is, I can't see how it could have any personal data of mine attached. Thx

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base