General

  1. Include credit cards as another search dimension

    As well as user accounts there seem to be a lot of credit cards being leaked. It would be interesting to add credit card numbers to the other search dimensions (username and email address).

    There are some security implications around uploading your credit card to hibp but hibp would not need to store it at all. One you had it hash it and also store the found numbers as a hash. It would then slide right into the existing partition/row key schema.

    If such a system could be implemented I would even consider it a service worth paying for. Perhaps…

    71 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow users to search for an email address by hash rather than sending the email to the API in cleartext.

    Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.

    47 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →

    I’m closing this out as “declined” for several reasons:

    1. Now with almost 5B records, there’s a very high chance I have the hash being searched already and if I have that, I know the plain text.
    2. It would lead to massive redundancy in the system, literally doubling the volume of data I store
    3. It would be very rarely used; the vast majority of requests come via the web app from consumers browsing to the site and yes, I could hash on the client, but then you have to trust HIBP is reliably doing that which bring me to the final point…
    4. …I would advise against sending an address to any service you don’t trust, regardless of the lengths I go to in ensuring searches aren’t recorded

    So in summary, a combination of high effort and low reward.

  3. Notify email owner privately to limit malicious intents

    I like the fact that I get to know if my email is pwned in any of the latest breaches (so opting out is not really an option), but I can see a malicious intent here as well.

    Say a hacker needs to get access to my email account, then the first thing to try is your service to know if my password exists in any of the known breaches, even though I might change it but some users won't or it may be easily guessable.

    My idea is, when the user enters their email address, send the results by…

    41 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    9 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Provide the count of breached accounts on a domain

    As part of the API, provide the count of breached accounts on a domain in a time window. I realise that for the domain search, users need to prove ownership of the domain before receiving the list of breached emails, which certainly makes sense. If the count of breached accounts on a domain isn't deemed too sensitive to disclose, this would be useful in third party risk monitoring applications which could then display "50 accounts with emails on your domain @domain.com have been breached in the previous 3 years" for example.

    12 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →

    I’m declining this one simply for the reason you’ve already highlighted: it’s too sensitive. For example, you could restrict the range to the time of the Ashley Madison data breach, feed in the domain of a small company and start to draw some pretty sensitive conclusions. As it stands, domain owners can already derive this info so there’s way more risk than upside to this one.

  5. Don't use Gravitar

    On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.

    11 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add doxbin.org paste

    I search on doxbin.org some email accounts and then i search on haveibeenpwned.org, but it isn't find the paste.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add more phone number and email breach

    Please add more email and phone number breach. I search on "keepersecurity" and "nortonlifelock email and phone number dark web monitoring" say to me that there is more breach.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. There was an attack on the website https://www.yemeksepeti.com

    • Name-surname, date of birth
    • Telephone numbers registered with Yemeksepeti
    • E-mail registered with Yemeksepeti
    • Address information registered with Yemeksepeti
    • Masked login passwords with SHA-256 algorithm that are not clearly visible it was stolen. You must add it to this site.
    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. I suggest to implement an email verification that is necessary to get to know whether the email adress one typed in has been pawned or not.

    By getting the information on whether an email address has been pawned without verification whether it's mine or not it is easy for everyone to check really quickly whether the email addresses one has from people around is worth trying to hack. One doesn't have to check the list. This site is doing that for one.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Fix your SMTP server records in DNS (reverse lookup not working).

    Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Link Breach Lawsuits

    Link all verified mediums that one can access to join or create a class-action lawsuit/claim related to a data breach.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Include leaked password

    You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.

    I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide sample code for SHA1 hashing for app developers to use

    I have found a number of PowerShell wrappers to the API, and some text hashing scripts, but the hashing does not seem to work when used to hash a known bad password and send it via as SHA1 via the API. Example javascript and/or PowerShell scripts (and maybe others) to show how the hashing should be done, would allow all calls from apps, etc. to use the SHA1 value and not send the "clear" password (even over HTTPS) to the API.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    Due to the breadth of different languages out there and the simplicity of create a SHA1 hash and sending it in a web request, I don’t want to get into language specific guidance. If you’re having trouble, try creating the hash here and comparing it with the one you’re creating: http://www.sha1-online.com/

    I suspect it’s your encoding, you’ll get a speedy answer on Stack Overflow if you’re still having trouble.

  15. Notification before loading breach onto Azure

    In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned

    Can you publish a counter estimating when the next series of breaches will be made available?

    I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. API for recommending to allow/forbid a specific credential set.

    Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.

    The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add possibility to get total count of leaked emails for specific domain through API

    Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
    And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    A count alone won’t do much good, people want to know who was impacted in the breach. Plus, you already get a count at the top of the search page or can look at the rows in the CSV.

    Separately to this, if the results you’re seeing aren’t accurate, just check it’s not due to public searches not showing sensitive breaches.

  18. crawl for sites that dont delete your account when you ask for it

    i know this might be outside the scope of this site

    But i have in the past discovered that sites do not delete me when i ask for it

    It could be nice to have some sort of crawler that could search the internet for your username or even name and report back on which sites they are found

    this could maybe be a seperate site

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add Retry-After to Access-Control-Expose-Headers

    When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 8 9
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base