General

  1. Provide the count of breached accounts on a domain

    As part of the API, provide the count of breached accounts on a domain in a time window. I realise that for the domain search, users need to prove ownership of the domain before receiving the list of breached emails, which certainly makes sense. If the count of breached accounts on a domain isn't deemed too sensitive to disclose, this would be useful in third party risk monitoring applications which could then display "50 accounts with emails on your domain @domain.com have been breached in the previous 3 years" for example.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    I’m declining this one simply for the reason you’ve already highlighted: it’s too sensitive. For example, you could restrict the range to the time of the Ashley Madison data breach, feed in the domain of a small company and start to draw some pretty sensitive conclusions. As it stands, domain owners can already derive this info so there’s way more risk than upside to this one.

  2. Use certificates that specify OCSP Must-Staple

    The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.

    https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com
    https://scotthelme.co.uk/ocsp-must-staple/

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Drop support for weak cipher suites

    The Qualys SSL Server Test shows that haveibeenpwned.com supports weak cipher suites for TLS 1.2. Please drop support for these to make haveibeenpwned.com even more secure.
    https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Domain search

    I own several domains and I would like to check any email adress with that domain.
    Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Humio Pawned

    Received this mail:
    Dear Humio user,

    On Monday, November 4th, we became aware that an authenticated user of cloud.humio.com could use an API call to retrieve a full list of cloud.humio.com users, including names and email addresses. No other information was exposed.

    You are receiving this email because your name and email could have been exposed.

    We only know of a single incident where someone unintentionally accessed this information. They immediately reported this to us (thank you!). However, we can’t definitively identify whether any other users accessed and stored this data. If you retrieved any user names or email addresses,…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Don't use Gravitar

    On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide Delta files between versions of the Password DB for offline mirror updates

    for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?

    Love using the service btw!

    would also keep your bandwith lower for people only needing the new stuff by downloading smaller files

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Question: Does HIBP check user ids as well as email address?

    Some websites use userids instead of email addresses. Are userids checked the same as email addresses?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. A search for xyz@gmail.com and xyz@googlemail.com should return the same

    Since user@gmail.com is the same address as user@googlemail.com the returned data should also be the same, currently you'd have to enter both addresses.
    Some users might not even know about this.

    0 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. HOSTINGER.COM HAD A DATA BREACH

    I’m not lying, I got an email from them. Here is the blog post about it:
    https://www.hostinger.com/blog/security-incident-what-you-need-to-know/

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Normalize all searches to lower case

    I sometimes capitalize portions of my email address.
    After checking the same email address twice - one time all lower case and another using some upper case - I got different results!

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. api call

    Hi i want to ask about API,

    i try to call the API via $.ajax and send the hibp-api-key by header, i checked the hibp-api-key at RequestHeader and its correct
    and i get this message in the console
    readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load

    can you help me?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Version Pwned Password API

    Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?

    Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    At this stage there’s no plan to version the Pwned Passwords API an it’ll continue to run independently to the APIs for searching breaches.

    See the “last-modified” response header on the API if you’re looking to identify when the data is current as of.

  14. Domain Search Email Validation Not Working

    I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Can I have my account show up normally- like no breaches found, since I opted out accidentally

    Can I have my account show up normally- like no breaches found, since I opted out accidentally ?

    I am not sure where to post this but I want it like that

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. 1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Fix your SMTP server records in DNS (reverse lookup not working).

    Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Any suggestions as to anything that can be done to fix any problems associated with these list.

    Would like to see some suggestions as to how to repair/improv being victims of the instances you unveil.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    5 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Insert Breach's "Permalink"

    Can you please insert the breach's "Permalink" returned by the API?

    For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. consider social security numbers?

    What potential is there to provide data on SSN that have been exposed in a breach? This seems much more borderline dangerous, but curious about of you've given any thought and the problems / possibilities you see.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base