General
215 results found
-
acknowledge option
Hi,
It will be nice to have an "acknowledge" option if i subscribe - so when i see list of sites/accounts i changed my password too i would be able to acknowledge and then see only new threats as redthanks,
1 voteHIBP is not intended to be a personal checklist, rather a historical record of data breaches.
-
Add URL for a certain paste
Using the crowd, I have finally solved the mystery which database a certain paste represents: http://security.stackexchange.com/questions/108191/what-can-i-do-if-i-discover-that-my-password-hash-has-been-leaked-in-pastebin
Can I/Could you add that information?
1 votePastes are retrieved “as is”. There’s a large volume that flows into HIBP and I don’t modify any metadata about them, I merely represent the information they contained.
-
Add wpengine.com breach
There was a breach on wpengine.com, maybe data about accounts will be available somewhere
https://wpengine.com/support/infosec/1 voteI’m not aware of this breach being in the public domain but if you happen to have it, contact me privately. Closing this out to keep the UserVoice for feature ideas.
-
RSS feeds not working/validating
Thunderbird refuses to open either your breaches or pastes RSS feeds, claiming failed validation. The w3c feed validator fails both: https://validator.w3.org/feed/
Whether they are broken or not is beyond my experience :-)1 vote -
Provide a open sourced version of the PB scraper for users to run at home and tinker with.
Title explains it.
3 votesHIBP gets the paste feed from Dumpmon which is already open-sourced here: https://github.com/jordan-wright/dumpmon
-
Unsubscribe button please
This service is awesome and user will be warned if they are pwned.
But the registration confirmation email says "...and you can unsubscribe at any time if you don't want the notifications."
Please, make an unsubscribe button. I can't find any unsubscribe button or form on the website or in the email.
Thanks.1 voteFeature already exists
-
Add a captcha
Because people often use the same user and password combination on multiple sites. If you can search here if you have an account on multiple sites, others can too. If you can slow down automatic search, abusers can be scared away
3 votesA CAPTCHA implementation poses an unacceptable usability barrier whilst providing little practical benefit and would entirely break the API implementation.
-
either allow use of email from domain registration, or don't claim to
The domain registration page says "Verifying by email is the fastest way to confirm ownership of the domain. You can either verify using an email address on the domain registration record or by using one of several pre-defined addresses for the domain." However, in fact I cannot find any way to use the email address actually on my domain registration record (paleo.org), as it is not one of the four standard addresses listed.
1 voteSupport query rather than an idea (and resolved now anyway).
-
I've lost the original verification notification about being pwned on AM site. How can I recover it?
Recover verification notice.
1 voteThis is not a support queue, it’s for feature ideas.
This is addressed in the Q&A blog post here: http://www.troyhunt.com/2015/08/ashley-madison-data-breach-q.html
-
1 vote
Relates to a specific scenario within the Ashley Madison data breach.
-
Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if Registered via EMail Link PRIOR TO Deletion ? Thank
Question: Can a Subsequently Deleted EMail Address be accurately confirmed via HIBP, if the EMail Address was confirmed Registered (via EMail Link) PRIOR TO Deleting the E-Mail Address ? Thank You.
1 vote -
Allow users to search for an email address by hash rather than sending the email to the API in cleartext.
Under the suspicion that submitted email addresses are being harvested, a privacy conscious user could feel safer checking for the presence of their email in the database by submitting a hash of it rather than the email address itself. I, for instance, have two email addresses: one which everyone knows, and one which very few people know. I'm very curious about the latter, but there's no way I'd enter it into any web form.
47 votesI’m closing this out as “declined” for several reasons:
1. Now with almost 5B records, there’s a very high chance I have the hash being searched already and if I have that, I know the plain text.
2. It would lead to massive redundancy in the system, literally doubling the volume of data I store
3. It would be very rarely used; the vast majority of requests come via the web app from consumers browsing to the site and yes, I could hash on the client, but then you have to trust HIBP is reliably doing that which bring me to the final point…
4. …I would advise against sending an address to any service you don’t trust, regardless of the lengths I go to in ensuring searches aren’t recordedSo in summary, a combination of high effort and low reward.
-
Include credit cards as another search dimension
As well as user accounts there seem to be a lot of credit cards being leaked. It would be interesting to add credit card numbers to the other search dimensions (username and email address).
There are some security implications around uploading your credit card to hibp but hibp would not need to store it at all. One you had it hash it and also store the found numbers as a hash. It would then slide right into the existing partition/row key schema.
If such a system could be implemented I would even consider it a service worth paying for. Perhaps…
71 votesPer the last comment, this creates too many risks for both myself and others.
-
Interpret all permutations of an email address (period seperations, +filters)
Gmail will ignore periods in an email when it comes to rounding. So email@gmail.com and e.mail@gmail.com will both go to the same address. Someone might want to use the email because it lets them filter those messages from within Gmail.
I tested it, and as of right now, haveibeenpwned sees them as seperate emails which may give users a false sense of security.
Develop a way to find all permutations of an email based off of their filterless email address.
3 votes -
You are compromising the security of the people
Regarding the recent Ledger data breach, anyone that types a compromised email address knows that he/she has a ledger wallet and crypto. You are leaking to everybody the same information leaked by the hackers and you are compromising the security of that person by revealing the email, exposing him or her to phishing attempts and even to physical risk if the person that performs the search knows the identity of the owner. This is a very serious issue. Please consider sending the results only by email at least for these most serious data breaches where there is physical risk for…
0 votesThere are many, many very good reasons why the service operates in this fashion: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
- Don't see your idea?