General
204 results found
-
RSS feeds not working/validating
Thunderbird refuses to open either your breaches or pastes RSS feeds, claiming failed validation. The w3c feed validator fails both: https://validator.w3.org/feed/
Whether they are broken or not is beyond my experience :-)1 vote -
Add wpengine.com breach
There was a breach on wpengine.com, maybe data about accounts will be available somewhere
https://wpengine.com/support/infosec/1 voteI’m not aware of this breach being in the public domain but if you happen to have it, contact me privately. Closing this out to keep the UserVoice for feature ideas.
-
Add URL for a certain paste
Using the crowd, I have finally solved the mystery which database a certain paste represents: http://security.stackexchange.com/questions/108191/what-can-i-do-if-i-discover-that-my-password-hash-has-been-leaked-in-pastebin
Can I/Could you add that information?
1 votePastes are retrieved “as is”. There’s a large volume that flows into HIBP and I don’t modify any metadata about them, I merely represent the information they contained.
-
acknowledge option
Hi,
It will be nice to have an "acknowledge" option if i subscribe - so when i see list of sites/accounts i changed my password too i would be able to acknowledge and then see only new threats as redthanks,
1 voteHIBP is not intended to be a personal checklist, rather a historical record of data breaches.
-
Stop sending bogus emails
I've had emails saying that both my tumblr and MySpace accounts have been breached, however I don't have accounts on either system.
1 vote -
Ok, so I've been pwned, now what?
Is there a means of fixing the issue?
Can I get my name off the pwned list? (without opting out)
Would it help to contact the pwned website(s) with my data?
Thanks
1 vote -
Include email addresses (or some info) for domain notifications
If you're doing a domain notification (notifying of any info for your domain that becomes compromised), you'd like to relay concerns to your users when those alerts come up. Right now, we're just getting a number of accounts, rather than the actual specifics. Even listing email addresses would help.
1 vote -
Incomplete Data
One of my several email id has been part in one of the data leak but searching here shows that it is not. This shows there is some discrepancy in data you refer to. I can not reveal much publicly here but you can reach out to me and i shall share more details.
1 voteSupport query, not a suggestion
-
Esso Canada called me regarding their speedpass rewards program being compromised. Not sure if it's a one-off or more than that.
customer service said that someone accessed my account, changed the email address on file, then proceeded to order e-gift cards.
Can you check into it if possible?
1 voteNot an idea
-
Allow notifications for an entire domain or allow a way to pull the domain report without having to verify every time.
We have access to a private feed of password dumps that we query every day automatically so we can proactively notify our users of account compromises. It would be really cool if we could also query haveibeenpwned in a similar fashion without having to manually verify domain ownership each time. This would allow us to automate the retrieval of the report.
Another option would be to allow people to sign-up for domain wide notifications similar to how you allow people to sign-up for individual account notifications.
Either way, the goal is to automatically receive or retrieve the information so we…
1 vote -
Charge for the service
Good service but I think you need $ to improve it.
A user could be charged a small amount, around €1, for the release of information related to a security breach.
The basic account could be free but the user would have to pay for advanced services.1 voteI’m quite clear at this time that I don’t want to charge people for a service that does them good, nor do I want to put them at more risk by making data beyond their email address accessible over the web.
-
1 vote
I’m presently looking for the data, will certainly load it once it turns up.
Closing this out as I keep User Voice for feature suggestions.
-
Please reconsider including leaked password in Notification Emails. Consider letting users opt in.
Your users should treat this password as public information, as should you. If you are concerned about storing this information, then delete the leaked passwords once the notification emails have been sent.
The beneficial impact of all users knowing exactly which of their passwords have been leaked is likely much greater than the dangers of your copy of the passwords being leaked since these passwords are already in the open and should be treated as public information.
If you still feel against this, then please at least make it an opt in option. Let people opt in to agreeing to…
1 voteIt’s just too risky to handle this sort of data in a publicly facing service and not be able to store it as a secure cryptographic hash. Opting in would made a large amount of additional work to service a very small portion of the overall accounts in a breach.
-
Somehow add suspected breaches
Since I use a seperate email address for every domain I register for (forum/webshops) I have a fairly good picture of breached sites (currently many forum sites). Is there a way to add/investigate/report these?
1 voteThere’s not much I can do without hard data, there are a lot of reasons why an email address unique to one site may start receiving spam and a breach is just one of them.
-
1 vote
There’s information on the FAQs page about how privacy is handled.
-
Why did I receive an email indicating pwned on the JustDate fabricated breach, but when I search from the Home page, not listed?
Why did I receive an email indicating pwned on the JustDate fabricated breach, but when I search from the Home page, only the Linkedin breach is noted? Is it possible that the email was spoofed? It looks almost exactly like the one i received when you posted the Linkedin breach. I suspect many others are in this same situation. Esp. if the Justdate breach was indeed 24 million people as the email indicated. Thanks.
1 voteIt’s fully explained in the link in the email: https://www.troyhunt.com/introducing-fabricated-data-breaches-to-have-i-been-pwned/
-
use a protocol on your website that is properly supported.
In all versions of Google Chrome I am now advised;
This site can’t provide a secure connection
haveibeenpwned.com uses an unsupported protocol.
ERRSSLVERSIONORCIPHER_MISMATCHThe client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
So, why can't you use a proper protocol?
1 voteI’m as close to certain as possible that this is a problem at your end, there’s been a heap of traffic through the site today and yours is the only mention of this. TLS termination is done at Cloudflare and nothing has changed configuration wise.
-
... make it easy to see what data are associated with a breach for a given account.
The mere fact of a breach means very little if the associated website or other details are not findable. (I have to admit I have no idea whether the API addresses this, but I have no idea how to use it anyway.)
HPI gives heaps of info: Affected Service Date Verified Password First and last name Date of birth Address Telephone number Credit card Bank account details Social security number IP Address
Am I missing something?
This should be emailable to the account holder in the same way, I would have thought.1 voteThere’s two important comments on this:
Firstly, HIBP describes the data classes that were exposed. If it says “email addresses and phone numbers”, for example, then your email address and phone number were almost certainly in the breach. The vast majority of the time, this is the data you gave the website.
More importantly though – and the reason for closing this as “declined” – is that it’s just too great a risk to store this information. Often the data is extremely personal and it was also often improperly secured in the first place. For example, plain text passwords, something I would never consider storing in my system.
So in short, the risks are too great and the benefits are minor given it’s data you’ve normally already provided yourself anyway.
-
why is the yahoo and target breaches not listed?
Why is the target and Yahoo breaches not listed
1 voteI can only load data I have! Neither of these has been circulating in trading circles.
-
Provide a way for me to see the password data or other data associated with my email. Since I use unique passwords, the source is known.
Provide a way for me to find the password data or other data associated with my email. Since I use unique passwords, the source is known. I have no idea if there is valid data in Exploit.In or Anti Public Combo unless I have some more information. You may not want to host the data, but someone is doing it. I have concern over some of those sources. Knowing the password or hash would make it possible to identify the source of the problem.
1 vote
- Don't see your idea?