General
-
Offer an option to inform where you have been compromised
offer an option to inform where you have been compromised - Chemist Direct login and password details exposed via email. These were correct.
1 vote -
Include an Industry field for every breach
The API for searching a breach should include what industry the breach is from, like Web, Government, Insurance, Financial, etc,.
1 vote -
Prevent the pwned passwords page from mirroring hashes to Azure App Insights
Currently when I submit a password to HIBP it sends two requests. One to https://api.pwnedpasswords.com/range/<hash> and another to https://dc.services.visualstudio.com/v2/track with a copy of the hash:
[
{
"data": {
"baseData": {
"data": "GET https://api.pwnedpasswords.com/range/<hash>",
"duration": "00:00:00.100",
"id": "|<id>.<id>",
"name": "GET /range/<hash>",
"resultCode": "200",
"success": true,
"target": "api.pwnedpasswords.com",
"type": "Ajax",
"ver": 2
},
"baseType": "RemoteDependencyData"
},
"iKey": "<id>",
"name": "Microsoft.ApplicationInsights.<id>.RemoteDependency",
"tags": {
"ai.device.id": "browser",
"ai.device.type": "Browser",
"ai.internal.sdkVersion": "javascript:1.0.21",
"ai.operation.id": "HdzCf",
"ai.operation.name": "/Passwords",
"ai.session.id": "<id>",
"ai.user.id": "<id>"
},
"time": "2021-06-10T04:27:35.000Z"
}
]Is it really necessary to send hashes to this many parties?
1 vote -
https://gitlab.com/ronaldoats/combos.vip-live.com
List of users and passwords 2,436,867 accounts
1 vote -
Add metadata to describe how password is stored
People should have awareness about proper security of websites
Original title: List websites that do not hash passwords, but rather encrypt or store plain text such as einforma.com edpnet.be
1 vote -
correct PW info ?
I checked my new long & unique 13 character PW.. got the response of Not Pwned... but also: 'Oh NO this PW has been seen before in a breach'... so which is it?
I made up 2 more long & unique PWs to test this and still got the same results. How can a previously non-existent just-made-up PW show in a breach !
I truly appreciate the work your site does, but how can a PW be both safe and compromised at the same time !1 vote -
Microsoft flow integration for a domain
An integration with Microsoft flows for a domain would be excellent. Something that would query the tenant for live or past emails in a domain and automatically notify the users about the breach.
1 vote -
Free Developer Access to Paid API
I suggest dev access.
Either by access to fake data, or by minimum access, some results based on a rank.1 vote -
An API call that returns both paste and breach information for a given account
This may be related to rate limiting, but it would be nice if I didn't have to make two calls to get both the paste and breach information for an account.
1 vote -
1 vote
-
Increase contrast in the footer
In the footer, there is the text "A troyhunt.com project" and 3 icons underneath it. These are very hard to see, especially the text. Please increase their contrast with the background
1 vote -
Include the affected email address in the API json structure as well.
Ingesting in Splunk becomes easier when the unique account is included in the API json data structure. Otherwise you cannot tell these individual disclosures apart.
1 vote -
Unsubscribing partial domain email breach notification with multiple domains
If you register an email notification for multiple domains, you are notified for all domains.
However, if at some point you no longer wish to be notified about one of the domains, it does not seem possible to unsubscribe from one of the domains only. (If you unsubscribe from both, and then re-subscribe to just 1 of the domains, it seems like your previous multi-domain account with the same email is reactivated, and multiple domain notifications are again emailed.)1 vote -
Table view for breach list
It would be nice to have an option to show the list of breaches for a particular e-mail address in table form with 1 row per breach and 1 column per piece of information involved (username, e-mail, name, dob, socio-economic, ssn, etc.) with maybe a score for how egregious the underlying issue was (plaintext/unsalted md5, etc.) and/or how sophisticated the attack was.
1 vote -
Identifying Password Reuse Between Seperate Breaches
When an account is included in multiple breaches, identify if the leaked password is reused, or similar password used in individual breaches.
This would be interesting for individual accounts, but more useful when monitoring domains.
If an account is included within multiple breaches, but there is low/no password reuse/similarity then we can gain a level of comfort that the leaked credentials cannot be used further.
If however the account that is included in multiple breaches has used the same or similar password across those breaches we can prioritise taking action and changing passwords for non-breached systems.
1 vote -
Internationalized domain name
Domain search verifying by email : domains with umlauts get not an email without any error message. Of course, if you convert domain name from IDN into ACE string before you enter it works.
1 vote -
Google Analytics?
I'm a European Data Privacy Officer and in my applications I don't allow any tracking cookies. Can you prove a - maybe paid - service without Google Analytics?
Thanks
Bernd1 vote -
Due diligence search on prospective service domains
Add the ability to search for historical breach information against a prospective service domain (Facebook, linkedin, firefly.ai) that may have been breached. This feature would be very handy as part of a due diligence operation prior to using that service
1 vote -
Add date stamps to each breach listed on the home page
So visitor can quickly grasp how up-to-date your data is.
Thank you,
--Ben1 vote -
Unable to generate new api key 21/08/19
Is there an issue with generating API keys right now? I'm unable to get a key receiving an error:
An error occurred while processing your request
The error has been logged and a notification sent.1 vote
- Don't see your idea?