General
224 results found
-
Include last seen / affected date in stealer results
As we are already aware (and have implemented) - it is not enough to know that an email appeared in stealer logs, the actual website credential was affected matters.
This is surfaced through the v3 API from the email address, email domain, and website domain point of view, however much of this data is aggregated.
This means that if an email address appears in multiple stealer logs it's not possible to know when it appeared for a given website domain.
From an operator point of view this makes it difficult to know which end users are susceptible to new attacks…
3 votesThe reason we don’t do this is that we often don’t have any date in the source and the same data often gets recycled between logs. There’s just no date we can reliably put on the logs with any degree of accuracy.
-
Allow users to login and mark breaches they dealt with
My data was in the 500px breach. Every time I check for breaches against my email address on HIBP, this comes up. I use random passwords so I am not concerned about the leak, but I do make sure to change passwords once I am notified of a leak. Once the list of breaches becomes long enough, I may not remember whether I have dealt with a specific issue reported. It would be good to have a mode where I can log in and check the issues that I have dealt with, so the next time I login and check…
2 votesHIBP is not intended to be a personal triage tool, it’s a reflection of breaches at a point in time.
-
Give us if our email is likely to be pasted.
We should be told if a hacker can still access our email or paste it. We should be told that once we receive our results,
2 votesThere is no way of knowing this.
-
complete alpha list of pwned breached sites?
alpha list of pwned breached sites & contact info.
CONSUMERS need to know if the sites they use are in a list of breached sites and how to contact the developer, webmaster to stay on them to fix it. My password keepers show some sites as breached but not on your page of listed sites (which I presume have been fixed?) How do you handle the breached sites which haven't been hardened?
2 votesHIBP only lists breaches that have been loaded into the service, it's not an index of every known incident.
-
upload known breached default or standard passwords
Many applications use your API to detect known vulnerable passwords. In this regard it would be great to have some way of uploading known default passwords, e.g. company "standard" passwords or vendor specific device passwords. This would help to prevent users from choosing old and compromised "standard" passwords.
2 votesThe intention for Pwned Passwords is to be just that **pwned** so things that have been seen in previous breaches. That almost certainly includes many default passwords, but it's not something we'd seek out and add if they haven't previously been breached.
-
Show where passwords where leaked from
The same way we see where the emails where leaked from. Could we please have the passwords leak location shown to us?
2 votesThis wouldn't really scale; some passwords have been seen millions of times before and tracking the location would result in huge amounts of bloat whilst providing very little benefit. The purpose of Pwned Passwords is to try and stop the use of known breached passwords, irrespective of where they were breached from.
-
Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if Registered via EMail Link PRIOR TO Deletion ? Thank
Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if the EMail Address was confirmed Registered (via EMail Link) PRIOR TO Deleting the E-Mail Address ? Thank You.
1 vote -
1 vote
Relates to a specific scenario within the Ashley Madison data breach.
-
either allow use of email from domain registration, or don't claim to
The domain registration page says "Verifying by email is the fastest way to confirm ownership of the domain. You can either verify using an email address on the domain registration record or by using one of several pre-defined addresses for the domain." However, in fact I cannot find any way to use the email address actually on my domain registration record (paleo.org), as it is not one of the four standard addresses listed.
1 voteSupport query rather than an idea (and resolved now anyway).
-
I've lost the original verification notification about being pwned on AM site. How can I recover it?
Recover verification notice.
1 voteThis is not a support queue, it’s for feature ideas.
This is addressed in the Q&A blog post here: http://www.troyhunt.com/2015/08/ashley-madison-data-breach-q.html
-
Unsubscribe button please
This service is awesome and user will be warned if they are pwned.
But the registration confirmation email says "...and you can unsubscribe at any time if you don't want the notifications."
Please, make an unsubscribe button. I can't find any unsubscribe button or form on the website or in the email.
Thanks.1 voteFeature already exists
-
RSS feeds not working/validating
Thunderbird refuses to open either your breaches or pastes RSS feeds, claiming failed validation. The w3c feed validator fails both: https://validator.w3.org/feed/
Whether they are broken or not is beyond my experience :-)1 vote -
Add wpengine.com breach
There was a breach on wpengine.com, maybe data about accounts will be available somewhere
https://wpengine.com/support/infosec/1 voteI’m not aware of this breach being in the public domain but if you happen to have it, contact me privately. Closing this out to keep the UserVoice for feature ideas.
-
Add URL for a certain paste
Using the crowd, I have finally solved the mystery which database a certain paste represents: http://security.stackexchange.com/questions/108191/what-can-i-do-if-i-discover-that-my-password-hash-has-been-leaked-in-pastebin
Can I/Could you add that information?
1 votePastes are retrieved “as is”. There’s a large volume that flows into HIBP and I don’t modify any metadata about them, I merely represent the information they contained.
-
acknowledge option
Hi,
It will be nice to have an "acknowledge" option if i subscribe - so when i see list of sites/accounts i changed my password too i would be able to acknowledge and then see only new threats as redthanks,
1 voteHIBP is not intended to be a personal checklist, rather a historical record of data breaches.
-
Stop sending bogus emails
I've had emails saying that both my tumblr and MySpace accounts have been breached, however I don't have accounts on either system.
1 vote -
Ok, so I've been pwned, now what?
Is there a means of fixing the issue?
Can I get my name off the pwned list? (without opting out)
Would it help to contact the pwned website(s) with my data?
Thanks
1 vote -
Include email addresses (or some info) for domain notifications
If you're doing a domain notification (notifying of any info for your domain that becomes compromised), you'd like to relay concerns to your users when those alerts come up. Right now, we're just getting a number of accounts, rather than the actual specifics. Even listing email addresses would help.
1 vote -
Incomplete Data
One of my several email id has been part in one of the data leak but searching here shows that it is not. This shows there is some discrepancy in data you refer to. I can not reveal much publicly here but you can reach out to me and i shall share more details.
1 voteSupport query, not a suggestion
-
Esso Canada called me regarding their speedpass rewards program being compromised. Not sure if it's a one-off or more than that.
customer service said that someone accessed my account, changed the email address on file, then proceeded to order e-gift cards.
Can you check into it if possible?
1 voteNot an idea
- Don't see your idea?