Allow notifications for an entire domain or allow a way to pull the domain report without having to verify every time.
We have access to a private feed of password dumps that we query every day automatically so we can proactively notify our users of account compromises. It would be really cool if we could also query haveibeenpwned in a similar fashion without having to manually verify domain ownership each time. This would allow us to automate the retrieval of the report.
Another option would be to allow people to sign-up for domain wide notifications similar to how you allow people to sign-up for individual account notifications.
Either way, the goal is to automatically receive or retrieve the information so we can look for newly compromised credentials and relay that information to our users.
In our case, we are a large environment with 1000's of users to getting them all to sign up individually is not going to be reasonable.
Justin
shared this idea
-
Hi Justin, few things on this:
Firstly, you can sign up for domain notifications in the same way as you can for individual email notifications, just check the box on the domain search page and enter the email address you'd like notifications to be sent to: https://haveibeenpwned.com/DomainSearch
Secondly, I've elected to re-verify domain ownership on each search to ensure that those doing the search still have control over the domain. I don't want a scenario where someone moves on from a company yet still has the ability to search their domain.
Finally, I do also have a commercial avenue that avoids these constraints and notifies you directly via an API call when an account on your domain is impacted. Get in touch if you'd like to know more: https://www.troyhunt.com/contact/
