General
230 results found
-
Include last seen / affected date in stealer results
As we are already aware (and have implemented) - it is not enough to know that an email appeared in stealer logs, the actual website credential was affected matters.
This is surfaced through the v3 API from the email address, email domain, and website domain point of view, however much of this data is aggregated.
This means that if an email address appears in multiple stealer logs it's not possible to know when it appeared for a given website domain.
From an operator point of view this makes it difficult to know which end users are susceptible to new attacks…
3 votesThe reason we don’t do this is that we often don’t have any date in the source and the same data often gets recycled between logs. There’s just no date we can reliably put on the logs with any degree of accuracy.
-
Include the Breach Model Name attribute in the HIBP breach notification email.
The title of the breach notification is inconsistent with the breach model name attribute, which makes automation quite difficult to match up.
The api for single breaches, only allows you to search by the name field.
Examples emails that have been sent that didn't match:
Subject: <int> email on <domain> has been pwned in the Free Data breach.
"Name": "FreeMobile", "Title": "Free", "Domain": "free.fr", "BreachDate": "2024-10-17", "AddedDate": "2025-05-27T07:03:21Z", "ModifiedDate": "2025-05-27T07:03:21Z", "PwnCount": 13926173,subject: <int> emails on <domain> have been pwned in the Operation Endgame 2.0 data breach
"Name": "OperationEndgame2",
"Title": "Operation Endgame 2.0",
"Domain": "",
"BreachDate": "2025-05-23",
"AddedDate": "2025-05-23T20:47:34Z",
"ModifiedDate":…3 votesThis is the job of the API.
-
Prevent OSINT /!\
Hello, I'd like to see a code verification (sent to the e-mail to make sure it belongs to the person doing the verification) to avoid knowing that someone else's e-mail is affected by certain services (with the precise name of the services, which isn't great because it helps the osint for black hats :/).
3 votesThere are many, many reasons why that isn't feasible: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Manually specify accounts to check for a domain
As of now you just count all xxx@ you see for a domain meaning that a 2 user domain can easily overflow the max 10 account per domain limit because of spam xx and derived xx's (aliases) forwarding to the two original users. It would be more fair if I could manually enter the xx's I'm interested in. In my case that would be ~5 but the automatic count found 17 !
3 votesWe base pricing on the number of actual aliases seen on a domain, not just those someone wants to search at any gien point in time.
-
Send searchers list with links to those companies in lawsuits reguarding the breaches a link to submit a claim for themselves
I support those coming to your site searching once there list is made on dashboard to each company that is in an ongoing lawsuit the searcher be notified w a link to the claim site for them to use if they choose to or for companies thatt are not currently involved in settlements the weblink to their site so that at least the conaumers know what if anything they are offwring them to correct or protect them going forward at least then we may feel some comfort in regaining back our money info or be protected amd also know which…
3 votesI do not want to encourage class actions, for all the reasons described here: https://www.troyhunt.com/data-breaches-class-actions-and-ambulance-chasing/
-
Makes no sense why you wont give information concerning pending lawsuits or how to get things started
What other outcome could there possibly be then litigation against those who do not take proper steps to ensure our data is protected . We can't like go to the company an say "please don't let anybody else know my sensitive data", litigation is our only recourse an you know this so why are you against suing these maggots,obviously your on their side if your against litigation,no other way to force change
3 votesThere's a long-form response here: https://www.troyhunt.com/data-breaches-class-actions-and-ambulance-chasing/
What other outcome could there be? Regulatory penalties, and they already happen. Making lawyers rich by mounting frivolous lawsuits that provide no more than a few bucks to plaintiffs, whilst causing organisations to behave defensively rather than transparently, is not a healthy situation. I'm not "on their side" or I wouldn't be running this service.
As to why use this service, it's because it gives you visibility into data breaches you may not otherwise know about. If that's not of relevance to you, then don't use the service.
-
Allow users to login and mark breaches they dealt with
My data was in the 500px breach. Every time I check for breaches against my email address on HIBP, this comes up. I use random passwords so I am not concerned about the leak, but I do make sure to change passwords once I am notified of a leak. Once the list of breaches becomes long enough, I may not remember whether I have dealt with a specific issue reported. It would be good to have a mode where I can log in and check the issues that I have dealt with, so the next time I login and check…
2 votesHIBP is not intended to be a personal triage tool, it’s a reflection of breaches at a point in time.
-
Give us if our email is likely to be pasted.
We should be told if a hacker can still access our email or paste it. We should be told that once we receive our results,
2 votesThere is no way of knowing this.
-
complete alpha list of pwned breached sites?
alpha list of pwned breached sites & contact info.
CONSUMERS need to know if the sites they use are in a list of breached sites and how to contact the developer, webmaster to stay on them to fix it. My password keepers show some sites as breached but not on your page of listed sites (which I presume have been fixed?) How do you handle the breached sites which haven't been hardened?
2 votesHIBP only lists breaches that have been loaded into the service, it's not an index of every known incident.
-
upload known breached default or standard passwords
Many applications use your API to detect known vulnerable passwords. In this regard it would be great to have some way of uploading known default passwords, e.g. company "standard" passwords or vendor specific device passwords. This would help to prevent users from choosing old and compromised "standard" passwords.
2 votesThe intention for Pwned Passwords is to be just that **pwned** so things that have been seen in previous breaches. That almost certainly includes many default passwords, but it's not something we'd seek out and add if they haven't previously been breached.
-
Show where passwords where leaked from
The same way we see where the emails where leaked from. Could we please have the passwords leak location shown to us?
2 votesThis wouldn't really scale; some passwords have been seen millions of times before and tracking the location would result in huge amounts of bloat whilst providing very little benefit. The purpose of Pwned Passwords is to try and stop the use of known breached passwords, irrespective of where they were breached from.
-
Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if Registered via EMail Link PRIOR TO Deletion ? Thank
Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if the EMail Address was confirmed Registered (via EMail Link) PRIOR TO Deleting the E-Mail Address ? Thank You.
1 vote -
1 vote
Relates to a specific scenario within the Ashley Madison data breach.
-
either allow use of email from domain registration, or don't claim to
The domain registration page says "Verifying by email is the fastest way to confirm ownership of the domain. You can either verify using an email address on the domain registration record or by using one of several pre-defined addresses for the domain." However, in fact I cannot find any way to use the email address actually on my domain registration record (paleo.org), as it is not one of the four standard addresses listed.
1 voteSupport query rather than an idea (and resolved now anyway).
-
I've lost the original verification notification about being pwned on AM site. How can I recover it?
Recover verification notice.
1 voteThis is not a support queue, it’s for feature ideas.
This is addressed in the Q&A blog post here: http://www.troyhunt.com/2015/08/ashley-madison-data-breach-q.html
-
Unsubscribe button please
This service is awesome and user will be warned if they are pwned.
But the registration confirmation email says "...and you can unsubscribe at any time if you don't want the notifications."
Please, make an unsubscribe button. I can't find any unsubscribe button or form on the website or in the email.
Thanks.1 voteFeature already exists
-
RSS feeds not working/validating
Thunderbird refuses to open either your breaches or pastes RSS feeds, claiming failed validation. The w3c feed validator fails both: https://validator.w3.org/feed/
Whether they are broken or not is beyond my experience :-)1 vote -
Add wpengine.com breach
There was a breach on wpengine.com, maybe data about accounts will be available somewhere
https://wpengine.com/support/infosec/1 voteI’m not aware of this breach being in the public domain but if you happen to have it, contact me privately. Closing this out to keep the UserVoice for feature ideas.
-
Add URL for a certain paste
Using the crowd, I have finally solved the mystery which database a certain paste represents: http://security.stackexchange.com/questions/108191/what-can-i-do-if-i-discover-that-my-password-hash-has-been-leaked-in-pastebin
Can I/Could you add that information?
1 votePastes are retrieved “as is”. There’s a large volume that flows into HIBP and I don’t modify any metadata about them, I merely represent the information they contained.
-
acknowledge option
Hi,
It will be nice to have an "acknowledge" option if i subscribe - so when i see list of sites/accounts i changed my password too i would be able to acknowledge and then see only new threats as redthanks,
1 voteHIBP is not intended to be a personal checklist, rather a historical record of data breaches.
- Don't see your idea?