Notify email owner privately to limit malicious intents
I like the fact that I get to know if my email is pwned in any of the latest breaches (so opting out is not really an option), but I can see a malicious intent here as well.
Say a hacker needs to get access to my email account, then the first thing to try is your service to know if my password exists in any of the known breaches, even though I might change it but some users won't or it may be easily guessable.
My idea is, when the user enters their email address, send the results by email and do not display it publicly on the web site.
Hani
shared this idea
I left this open for quite a while as I gave it thought, but ultimately concluded it’s not a viable approach. Here’s my thoughts in full: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Stefan, this is addressed here: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
Feel free to comment on that blog post if you have further feedback, the idea here has been closed.
-
Stefan Billieri
commented
The site is useful but clearly violates the laws that protect the privacy :-|
I suggest you stop publishing the list of sites associated with the email or username specified in the search. Besides overloading your server unnecessarily, you get nothing from it.
Contact me so that we can discuss a better approach. -
@Henrik that model is similar to what I already do with the sensitive breach access. I appreciate there's still the question of enforcing that for *any* search, but since this suggestion was originally made and I commented on it last year, I've not seen any changes that would cause me to modify the existing model. The value provided by easy access and the mitigation practices I've implemented to help prevent abuse (including the rate limit which was introduced after this original suggestion) still significantly outweigh the opposing arguments which would break the API and frankly, make the project almost unsustainable based on the volume of email I'd need to send. I'll keep monitoring things, of course, but I don't see this happening in the foreseeable future.
-
Henrik
commented
@Troy: You know the "HPI Identity Leak Checker"? If you want to search you have to confirm your email address before and then you receive an overview of all the breaches you are in with this email address.
-
Henrik
commented
AFAIK if you opt out nobody can see online the breaches your emailaddress is in.
-
Adrian James
commented
This site checks "usernames" - how could you email those?
-
Definitely can't send an email on every search; it'd be classified as spam by many and would be impossible for me to cover the cost of. Plus it would in no way discourage someone with malicious intent for searching for someone; they won't care of the target gets an email.
-
Alex
commented
To avoid problems with usability maybe just a notification would be enough, "this e-mail adress was used in a search on HIBP..." or something of the sort, it'd atleast discourage malicious intent among many I believe. I know many of my friends who wouldnt hesitate to search all their friends on this site, getting a notice of this would not only spread awareness and promote better passwordhabits, but also as previously said might discourage sneaky searches...
Thanks for a great service though! Im superglad this exists either way! -
I'm going to leave this open as it *may* be more relevant in the future. The main barrier to this is that it makes it harder for people to use the system; they now have to receive an email which many people aren't keen on. I agree it has a privacy upside, but a usability downside.
It also kills the API so all those iOS and Android and dozens of others of useful app die.
As a mitigation, there's the ability to opt out of public discovery but I appreciate this is not the same as defaulting to this position.