General
229 results found
-
Make it possible to opt-out ex-employee addresses from domain search.
It would be nice to have an option to opt-out addresses of ex-employees from domain searches.
For exampel: I have a domain with 1200+ Apollo results. A lot (75%) of those addresses don't excist anymore. I have no problem with paying for HIBP (love the service), but 75% of the data isn't relevant anymore.
3 votesThere are a number of reasons why this isn't a path I want to take, starting with philosophical: a data breach is an immutable event in time and HIBP is intended to represent that event as accurately as possible. Whether someone still works for the company or not doesn't change their exposure at that point in time in the past.
I also don't want to get into a cycle of effectively using HIBP as a triage service. I've had lots of requests in the past to do things like provide the ability to flag an address as having been reviewed post-breach and that's something that really should happen on the org side. This request is comparable to that insofar as the org would be changing the state of data in HIBP on the basis of what's happening internally within their company.
Hope that makes sense.
-
3 votes
No.
-
HOSTINGER.COM HAD A DATA BREACH
I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/3 votesThis UserVoice is for feature suggestions. Please contact me here if you have data to load: https://www.troyhunt.com/contact/
-
Interpret all permutations of an email address (period seperations, +filters)
Gmail will ignore periods in an email when it comes to rounding. So email@gmail.com and e.mail@gmail.com will both go to the same address. Someone might want to use the email because it lets them filter those messages from within Gmail.
I tested it, and as of right now, haveibeenpwned sees them as seperate emails which may give users a false sense of security.
Develop a way to find all permutations of an email based off of their filterless email address.
3 votes -
Add the recent 500K password breach for Fortinet VPNs
With the recent revelation of the 500K+ passwords that were scraped from Fortinet VPNs all over the world, it would be of incredible value to be able to check if several deployments were caught up in the breach (by checking a few usernames). Thanks for the great work!
3 votesI’ve looked at the data, there’s a very small number of username (not email) and password pairs with many of the latter already in HIBP. At present, loading these would be low-value and high-overhead.
-
Remove password which is pwned on small and don't see in long time.
First time i have check my password, it was not pwned.
Second time, just after first time some days, it was pwned with "seen 1 time before".
This is no problem until now, but when github start using your api to check password and force i give up my good password!
So please remove password which "seen 1 time before", or at least make a feature that auto remove password from your database if it is not pwned or less pwned in long time.3 votesThat’s not a reason to remove the password, that’s a discussion you should have with GitHub about what threshold to block a password at.
-
Tell the simple steps to get out of these problems who does not know the technology.
Tell the simple steps to get out of these problems who does not know the technology, how to get out of pwning his/her email or some other account. Dr N C Ghatak.
3 votes -
How to Delete reported pwnage: Good news and Bad ews
make a deletion of these reports if you have seen it already....
3 votesHIBP isn’t intended to track the state of how individual people see and deal with breaches, there are all sorts of problems associated with that.
-
Make the bitcoin-related sites sensitive
Otherwise, users of bitcoin could be targeted in order to steal their bitcoins (as they are worth so much right now).
3 votesThe criteria I use for sensitive breaches is that the public discoverability potentially causes harm; adult websites, for example, have a social stigma.
An increased likelihood of phishing is common to all breaches and at present, I don’t feel that a site merely being financial in nature is sufficient to categorise it along with the likes of Ashley Madison.
-
Distribute large files via torrents...
subject says it all...
3 votesThis blog post explains why I didn’t use torrents: https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/
Plus, with Cloudflare caching the file at their edge nodes, I can’t see any tangible upside to a torrent.
-
Version Pwned Password API
Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?
Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?
3 votesAt this stage there’s no plan to version the Pwned Passwords API an it’ll continue to run independently to the APIs for searching breaches.
See the “last-modified” response header on the API if you’re looking to identify when the data is current as of.
-
Affected Service Warnings for various breach types
With the most recent Telegram Combolost breach, a feature I think a wide variety of people would use is the ability to know exactly what services their email and password combination were breached in so they can immediately change them.
The best way of doing this would be sending HIBP subscribers an email with the the lines in the Combolist (Obviously with the password or other secure information redacted)3 votesThe practical challenges of this are just so great (not to mention the privacy risks), that I cannot see us being able to do this at any time in the future.
-
Filter known breaches and pastes in the API
It would be nice if we could pass a set of breach names into the https://haveibeenpwned.com/api/v3/breachedaccount and a set of paste data into https://haveibeenpwned.com/api/v3/pasteaccount and have them only provide results for the breaches and pastes not on the list, basically something like ?exclude=thing1,thing%20two for breachedaccount and something like ?exclude=%7B%22PasteBin%22:%20[%22123%22,%22456%22],%22Pastie%22:%20[%22abc%22]%7D for pasteaccount.
3 votesThat sounds like something you could easily filter on the client end: request the data for an account then remove all items that don’t match what you’re looking for. There’d be no performance benefit doing it on the HIBP end as the query presently just picks up an entity (the account being searched for) and returns it in its entirety.
-
search by hash to be EU GDPA laws compliant
As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
THX for your work3 votesThis has already been raised and declined here: https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/8234421-allow-users-to-search-for-an-email-address-by-hash
-
Please get rid of the download tool
Bit torrent was fine, Now I do not even know which version is the current one before downloading all the stuff. No delta download: So this will increase used bandwith on both sides (me and you)
3 votesThe torrent wasn't fine, it was a stagnated point in time that never evolved. If you want that then just pull down the current version and never update it again. If you want to stay current and not regularly update, then use the k-anonymity API.
And FWIW, 99.9999% of requests to the API, either directly from apps or via the downloader, are served by Cloudflare cache and have zero impact on us in terms of bandwidth.
-
Screen out fake email addresses
Right now the service you offer shows more than 170 email addresses from my domain. All of them are fake and never existed as there are less than 10 real accounts on my domain. These fake accounts push me into the paid subscription level where if it only looked at the real accounts it’d be free. Can this be remedied? Maybe allow marking of real accounts and all others considered fake?
3 votesThe challenge we have is that there is no viable mechanism to establish whether an account is “real” or not. So long as an address adheres to a valid set of characters and structure, there’s nothing beyond that we can do. To mitigate the risk, breaches flagged as spam lists are excluded from the count used to calculate the required subscriptio. More here: https://support.haveibeenpwned.com/hc/en-au/articles/7680371776399-Can-email-addresses-be-removed-from-a-domain-thus-reducing-the-subscription-level-required
-
Add a leaderboard of the most pwned accounts
It would be amazing if you could see which accounts have the most pwns and how many
3 votesCool idea, except for the whole privacy issue around highlighting specific email addresses! That said, the most pwned addresses are always the dummy ones - check out test@example.com 😲
-
Classify domain tiers differently
I have a personal domain and use a unique email address whenever signing up to a website, so I can easily block it if it gets leaked and starts receiving spam (it also makes it easy to know which site the leak came from). I'm only a single user but would be treated as a moderate sized company according to the new classifications.
I understand the desire to classify domains and charge different pricing for them. I also appreciate that my arrangement is somewhat unusual and that your approach no doubt works for the majority of cases, it just feels…
3 votesHi Justin, domain size is the only reliable metric we have to put a commensurate cost on the service. Check out this KB to minimise (or eliminate) the cost: https://support.haveibeenpwned.com/hc/en-au/articles/7707041970703-How-can-I-minimise-the-subscription-cost-of-domain-searches-
-
Catch all
Implement support for catch all email addresses. I use a different mail address per website I register to. Its all on the same domain that is configured to support catch all e-mail. In theory I could use an UUID email adres per website.
In order to proof you are the owner you could send a verification mail to a random mailadres for the given domain.
3 votesThis feature already exists, it’s under the “Domain search” link in the nav.
-
Add database of passwords longer than 8 characters
With the new NIST guideline of 8 character minimum password length, it would be useful to have a database of only passwords 8 characters or longer. My assumption is that this would reduce the size of the database significantly.
3 votesMultiple problems with this, namely that it then creates redundant copies of the same data and then where do you stop? A 10 char DB? A 13 one? But it also doesn’t matter if you’re using the k-anonymity API which I’m strongly pushing people towards, particularly because of this: https://www.troyhunt.com/pwned-passwords-open-source-in-the-dot-net-foundation-and-working-with-the-fbi/
- Don't see your idea?