General
213 results found
-
New subsection showcase under the API section
Under API, to add who uses them. I am interested in their UI/UX design, and how the attribution link is shown.
Request your licensees to provide link and screenshots if they have any. It helps them with cross promotion and you can use it to verify attribution is done correctly1 voteWe used to track usages of the services with links to consumers, but it just became too laborious to maintain so it was dropped.
-
RockYou2024? The 12TB MOAB?
Huge breaches this year, can their data be added??
1 voteThat definitely won’t be going in: https://x.com/troyhunt/status/1809401195762708738?s=61&t=beHN95Zd9G3fQiuO1h_jzA
-
Show where passwords where leaked from
The same way we see where the emails where leaked from. Could we please have the passwords leak location shown to us?
2 votesThis wouldn't really scale; some passwords have been seen millions of times before and tracking the location would result in huge amounts of bloat whilst providing very little benefit. The purpose of Pwned Passwords is to try and stop the use of known breached passwords, irrespective of where they were breached from.
-
Activate 2FA for email check
This tool is very useful and has a nice purpose, but I really regret that its is... another leak and a very public and easy one.
In a single click I can know if an email is linked to a linked in account. If breaches like stripchat or AFF are visible, I can know if my boss has an account on adult sites.
I would really love to see one day an implementation of a MFA to get access to an email results.
Thanks1 voteThere are many reasons why the service is implemented as it is, try this blog post: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
An endpoint to check if unverified domain has been pawned
I can see that we can check if the domain like google.com is pawned on landing page including the hacks they are involved in but no email addresses. But there is no endpoint do such searches in the api. It would be nice if we could do search for the unverified domain but no email aliases.
1 voteYou can't check a full domain on any HIBP resources without first verifying you control it. This is to ensure you can't pull back a company's data en mass with a single query.
-
Affected Service Warnings for various breach types
With the most recent Telegram Combolost breach, a feature I think a wide variety of people would use is the ability to know exactly what services their email and password combination were breached in so they can immediately change them.
The best way of doing this would be sending HIBP subscribers an email with the the lines in the Combolist (Obviously with the password or other secure information redacted)3 votesThe practical challenges of this are just so great (not to mention the privacy risks), that I cannot see us being able to do this at any time in the future.
-
Enhance the "an address has been breached" email notification to include the address
I run a domain which is used for email filtering. It employs "catch-all" forwarding to route every message to one of two places:
1) Trash, for addresses that are only getting SPAM (from previous data breaches)
2) my inbox, for the unique email address I provide for each web site I register with
This means I have hundreds of email addresses registered (probably close to 1000). They're all me.
However, since 63 of my email addresses have been disclosed to HIBP as being involved in data breaches, I no longer have any way to find out which addresses have been…
1 voteThe reason we don't include the impacted addresses is that they can be considered sensitive info therefore we don't want to send this via email. The result size can also be quite large for big orgs in large breaches.
If you've just got a big personal domain, log a ticket here with further details and we can assist: https://support.haveibeenpwned.com/hc/en-au
-
Add a leaderboard of the most pwned accounts
It would be amazing if you could see which accounts have the most pwns and how many
3 votesCool idea, except for the whole privacy issue around highlighting specific email addresses! That said, the most pwned addresses are always the dummy ones - check out test@example.com 😲
-
Allow for bulk "add domain" (API or otherwise)
I have 93 domains in my organisation I would like to add for monitoring (paid account). Currently, it seems the API doesn’t support adding domains to one’s account; so the only way to do so is manually one-by-one.
3 votesFor the public service, because control of each domain needs to be demonstrated it’s not feasible to wrap that up within an API. Separately, there’s an Enterprise channel with a much more formal structure that no longer requires manual verification, feel free to log a ticket and provide more info if you’d like to explore that option further: https://support.haveibeenpwned.com/hc/en-au/requests/new
-
Apple and Google have both found passwords that this tool did not.
I have long since left browser and OS password managers behind. I now use Vaultwarden. I like it because it will check passwords against your service for me (In fact, I pay for a subscription). Recently, I was on my iPad, and it told me that some of my passwords had been compromised. I had forgotten about having passwords on there. Most of them were old and changed. The one that surprised me was for my security camera system. It has not been changed. This password has been stored for a while and checked many times through HIBP (by way…
1 voteThere will always be gaps between different services simply by each having different sources of dat.
-
Liste privée
Rendre privée les réponses et vérifier l'identité du demandeur
1 voteThe reasons this isn't done are outlined here: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Add a IFrame (or other kind of embeded form) where we can easily add a search from our site that would send them to HIBP.
I don't need to understand API's. Your site works great and does an amazing service.
I would love a media kit/banner that we could add to our site, that we could use to direct users of our site to go to HIBP and check themselves.
I don't want to download or use your logos without permission.
You could add a section saying: "promote us:" and pre-prepare icons and buttons for use, if someone chooses, to link to your site.In addition, if you could create a form that would allow them to enter the email they want to search, just…
1 voteFraming HIBP is definitely not an option, in fact there's a frame ancestors content security policy in place to specifically stop that from happening.
The API is the easiest option if you want seamless integration: https://haveibeenpwned.com/API/v3
If you'd like to deep-link to search results, try this pattern: https://haveibeenpwned.com/account/test@example.com
-
Provide a subscription level for individual domains
I am one of the people (I know there are others) who uses a custom domain and a catchall email address, in order to give a separate email address to every site I sign up to. So example.com is example.com@mydomain.com, example.net is example.net@mydomain.com, etc.
Unfortunately this means that getting a report on my breached email addresses would cost $169/year, which is quite a lot for an individual user. I understand that this use case looks very similar to an organizational or institutional one, so it may be difficult to distinguish them in order to help individuals while still…
1 voteWe're far enough into this model now that I'm happy we've covered the vast bulk of scenarios with a reasonable and commensurate pricing tier, give this a go as a means of further reducing the cost: https://support.haveibeenpwned.com/hc/en-au/articles/7707041970703-How-can-I-minimise-the-subscription-cost-of-domain-searches-
-
Screen out fake email addresses
Right now the service you offer shows more than 170 email addresses from my domain. All of them are fake and never existed as there are less than 10 real accounts on my domain. These fake accounts push me into the paid subscription level where if it only looked at the real accounts it’d be free. Can this be remedied? Maybe allow marking of real accounts and all others considered fake?
3 votesThe challenge we have is that there is no viable mechanism to establish whether an account is “real” or not. So long as an address adheres to a valid set of characters and structure, there’s nothing beyond that we can do. To mitigate the risk, breaches flagged as spam lists are excluded from the count used to calculate the required subscriptio. More here: https://support.haveibeenpwned.com/hc/en-au/articles/7680371776399-Can-email-addresses-be-removed-from-a-domain-thus-reducing-the-subscription-level-required
-
upload known breached default or standard passwords
Many applications use your API to detect known vulnerable passwords. In this regard it would be great to have some way of uploading known default passwords, e.g. company "standard" passwords or vendor specific device passwords. This would help to prevent users from choosing old and compromised "standard" passwords.
2 votesThe intention for Pwned Passwords is to be just that **pwned** so things that have been seen in previous breaches. That almost certainly includes many default passwords, but it's not something we'd seek out and add if they haven't previously been breached.
-
Option to email a report of all exposed passwords linked to my email address back to my email address
Option to get a full report for exposed passwords used along with my email address that can only be mailed to the email address in question (to avoid malicious use)
This will help me determine where my data was leaked as I tend to use unique passwords for every site and I do not reuse my email password anywhere else
3 votesThat would mean storing and emailing plain text passwords which is not a risk we're willing to take on.
-
Load breach data before verification/email
Not sure if this is done already.
I suggest the breach data is loaded on the DB as quickly as possible, independent of verification. The idea being some of your services such as checking if a password is part of a breach only need to know if a password is part of a breach. The email notification and other parts of the service would wait for verification.
If your data structure requires a record for the breach source; if so could it have a record with a status of unverified?
For those users protected by a password manager/site that checked…
1 votePasswords are typically only updated when a large corpus of plain text versions appear. Most breaches have the passwords already hashed which means there's nothing we can do with them in HIBP, including loading them before verification. Where we do have passwords in plain text, they're already processed independently of the email address loading process.
tl;dr - it already works this way 🙂
-
Add basic email validation on the main search box on the website
If I search for @example.com on the home page https://haveibeenpwned.com/, then it shows "Good news — no pwnage found!".
That could give the false impression that there is no pwnage on that domain. If a user is not aware of the process for domains, then they might not realise that they need to enter a specific email like pwned@example.com in order to see the "Oh no — pwned!" on the homepage.
I'm aware that validating emails is difficult, so I'm not suggesting something complicated that covers all possibilities, but I think it would be an improvement to show a…
1 voteThe form also accepts usernames and phone numbers, hence not validating email addresses. Because this data was only loaded for a couple of breaches, the field isn't presently displaying the prompt to search for non-email address identifiers, but it may do so again in the future.
-
Allow a simplistic wildcard domain search on the site and the API
The only extra function I wish the API had was a very basic wildcard search of a domain (that I don't control/administer) whereby the API would simply return how many times the domain appears in your 700+ breached platforms, and on what platforms it appeared. I have no interest in knowing which email addresses appear under a domain search, just the total number of appearances of the domain and which breached platforms. DeHashed and Leak-Lookup offer this in their free search, but their API's are janky compared to yours.
1 voteHi Brendan, the clarity around it being for domains that aren't yours helps, this isn't something we'd entertain due to the privacy impact on organisations.
-
3 votes
I can only add breaches I have access to. If you have a breach you'd like to submit, please get in touch privately: https://www.troyhunt.com/contact/
- Don't see your idea?