Skip to content

General

← Customer feedback for Have I Been Pwned

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

215 results found

  1. Include credit cards as another search dimension

    As well as user accounts there seem to be a lot of credit cards being leaked. It would be interesting to add credit card numbers to the other search dimensions (username and email address).

    There are some security implications around uploading your credit card to hibp but hibp would not need to store it at all. One you had it hash it and also store the found numbers as a hash. It would then slide right into the existing partition/row key schema.

    If such a system could be implemented I would even consider it a service worth paying for. Perhaps…

    71 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    8 comments  ·  Admin →

  2. Allow users to search for an email address by hash rather than sending the email to the API in cleartext.

    Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.

    47 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    I’m closing this out as “declined” for several reasons:

    1. Now with almost 5B records, there’s a very high chance I have the hash being searched already and if I have that, I know the plain text.
    2. It would lead to massive redundancy in the system, literally doubling the volume of data I store
    3. It would be very rarely used; the vast majority of requests come via the web app from consumers browsing to the site and yes, I could hash on the client, but then you have to trust HIBP is reliably doing that which bring me to the final point…
    4. …I would advise against sending an address to any service you don’t trust, regardless of the lengths I go to in ensuring searches aren’t recorded

    So in summary, a combination of high effort and low reward.

  3. Notify email owner privately to limit malicious intents

    I like the fact that I get to know if my email is pwned in any of the latest breaches (so opting out is not really an option), but I can see a malicious intent here as well.

    Say a hacker needs to get access to my email account, then the first thing to try is your service to know if my password exists in any of the known breaches, even though I might change it but some users won't or it may be easily guessable.

    My idea is, when the user enters their email address, send the results by…

    41 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    9 comments  ·  Admin →

  4. Fix multi-domain search results

    Apparently, multi-domain search result for breached email account sets are broken. Maybe only for large result sets?
    I did a multi-domain search after the avectis breach notification with over 10.000 of our company and customer emails affected. However, the "Breached email accounts" tab in the excel format was empty. The HTML did not load (result set to big) and the JSON also only included "{"BreachSearchResults":null, ..."
    Can you check this please?

    17 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    9 comments  ·  Admin →

  5. Showing results via Mail

    I think it is a matter of privacy what services (that were breached) I used. This site allows me to type in any e-mail I know and to verify whether or not the person did use a special service. It might seem that this information is not too big of a deal, still I'd consider it private. So my suggestion is that the services only sends back a link to the email that shall be checked and provides the results there.

    14 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Admin →

  6. Provide the count of breached accounts on a domain

    As part of the API, provide the count of breached accounts on a domain in a time window. I realise that for the domain search, users need to prove ownership of the domain before receiving the list of breached emails, which certainly makes sense. If the count of breached accounts on a domain isn't deemed too sensitive to disclose, this would be useful in third party risk monitoring applications which could then display "50 accounts with emails on your domain @domain.com have been breached in the previous 3 years" for example.

    12 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    2 comments  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    I’m declining this one simply for the reason you’ve already highlighted: it’s too sensitive. For example, you could restrict the range to the time of the Ashley Madison data breach, feed in the domain of a small company and start to draw some pretty sensitive conclusions. As it stands, domain owners can already derive this info so there’s way more risk than upside to this one.

  7. Don't use Gravitar

    On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.

    11 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    4 comments  ·  Admin →

  8. There was an attack on the website https://www.yemeksepeti.com

    • Name-surname, date of birth
    • Telephone numbers registered with Yemeksepeti
    • E-mail registered with Yemeksepeti
    • Address information registered with Yemeksepeti
    • Masked login passwords with SHA-256 algorithm that are not clearly visible it was stolen. You must add it to this site.
    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  9. Add doxbin.org paste

    I search on doxbin.org some email accounts and then i search on haveibeenpwned.org, but it isn't find the paste.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  10. Add more phone number and email breach

    Please add more email and phone number breach. I search on "keepersecurity" and "nortonlifelock email and phone number dark web monitoring" say to me that there is more breach.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  11. TFN checks

    Problem: Australian Tax File Number (TFN) can be used to link a fake MyGov account and claim taxes on someone's behalf.

    Suggestion: Hash all leaked accessible TFN on the darknet to inform people that they should request a new one from the ATO

    Context:
    Today, I went to the accountant and I have become Sue0. My TFN and email has leaked from somewhere, the bad guys used the deets to create a fake MyGov account. Somehow attached their fake account to my taxes (ATO) and claimed random things to be under the 10k threshold. Apparently, I am now…

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    There are many problems with this:


    1. There are no data breached in HIBP with Australian tax fie numbers
    2. If there were, they're extraordinarily time consuming to parse out as they adhere to a simple numeric pattern that can't simply be regex'd out like an email address
    3. Hashing would provide effectively zero protection as the entire range of tax file numbers could be pre-computed very quickly due to their small number of possible values
    4. No anonymity means storing sensitive personal data which is definitely off the cards


    And FWIW, the vast majority of data on HIBP doesn't come from "the dark web", it's being exchanged en mass via clear web forums. I appreciate this doesn't help you solve your specific problem, but unfortunately the answer doesn't lie here.

  12. Fix your SMTP server records in DNS (reverse lookup not working).

    Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Admin →

  13. I suggest to implement an email verification that is necessary to get to know whether the email adress one typed in has been pawned or not.

    By getting the information on whether an email address has been pawned without verification whether it's mine or not it is easy for everyone to check really quickly whether the email addresses one has from people around is worth trying to hack. One doesn't have to check the list. This site is doing that for one.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Admin →

  14. Include leaked password

    You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.

    I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    5 comments  ·  Admin →

  15. Notification before loading breach onto Azure

    In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned

    Can you publish a counter estimating when the next series of breaches will be made available?

    I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  16. API for recommending to allow/forbid a specific credential set.

    Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.

    The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  17. Provide a open sourced version of the PB scraper for users to run at home and tinker with.

    Title explains it.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  18. Add possibility to get total count of leaked emails for specific domain through API

    Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
    And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    A count alone won’t do much good, people want to know who was impacted in the breach. Plus, you already get a count at the top of the search page or can look at the rows in the CSV.

    Separately to this, if the results you’re seeing aren’t accurate, just check it’s not due to public searches not showing sensitive breaches.

  19. Give me the opportunity to delete my email adress after I changed the password.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  20. Add Retry-After to Access-Control-Expose-Headers

    When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    2 comments  ·  Admin →
← Previous 1 3 4 5 10 11
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base

(thinking…)