General
198 results found
-
Confused by Gravatar notification
You tell me that one of my accounts have been Pwned through the Gravatar scrape - but i've never used it or any of the associated companies mentioned. So how would my email even be on there? And, if it is, I can't see how it could have any personal data of mine attached. Thx
1 voteUser Voice is for feature suggestions.
Try this resource: https://www.troyhunt.com/why-am-i-in-a-data-breach-for-a-site-i-never-signed-up-for/
-
have a way to mark all "breaches" as "rectified" when you changed the pasword.
We all change our pw frequently... it's hoped,
so have a way to grade the leak to "critical" before you update the pw for that breach. but then mark it as rectified after the pw is changed
1 voteThere are no plans to make HIBP a personal triage system.
-
Clarify "<p>" within the "Title" Field of "Regler" Paste
The relevant JSON returned from https://haveibeenpwned.com/api/v3/pasteaccount/test@example.com is quoted below:
{ "Date": null, "EmailCount": 627, "Id": "https://underground-revolution.eu/hacked/networkgaming_2013_04_16.sql", "Source": "AdHocUrl", "Title": "Regler.<p>" },Can you please clarify the inclusion of the "<p>" from "Title" field or if not needed please remove "<p>" from the "Title" field?
1 voteThis is simply the title on that paste, whoever created it added a
tag to it.
-
Add the recent 500K password breach for Fortinet VPNs
With the recent revelation of the 500K+ passwords that were scraped from Fortinet VPNs all over the world, it would be of incredible value to be able to check if several deployments were caught up in the breach (by checking a few usernames). Thanks for the great work!
3 votesI’ve looked at the data, there’s a very small number of username (not email) and password pairs with many of the latter already in HIBP. At present, loading these would be low-value and high-overhead.
-
Add a 'AddedDate' field for pastes
With the current API, for the paste model it is mentioned that the paste date is only included if it is known, and that this value may be null.
Can you please consider adding a 'date reported' field to the paste model, which would simply be the timestamp of when a given breach is reported by HIBP. That would give a usable reference point as to the possible age / currency of the paste, in the event that the regular date value isn't known.
This would also be consistent with the breach model in the API, that differentiates between 'BreachDate'…
1 voteSo I thought this was a good idea, until I looked at the underlying schema I’d implemented. tl;dr – I don’t capture and store that information in a fashion that makes this request feasible. Sorry!
-
Link Breach Lawsuits
Link all verified mediums that one can access to join or create a class-action lawsuit/claim related to a data breach.
3 votes -
The email addresses (2) in the LinkedIn leak are email addresses that I’ve never used on LinkedIn, but on GitHub.
Are we sure this is a simple scraping leak? Or is something else going on here? Given Microsoft owns the two services, could it be more problematic than we think it is?
1 voteThis is not a feature suggestion. More on the LinkedIn scraping incident in this thread: https://twitter.com/troyhunt/status/1444420522624749570?s=21
-
Note where aggregation is suspected.
So I've just been notified about the LinkedIn "scrape" and have verified that my data predates the Forbes breach. I have used multiple emails for LinkedIn over the years, and my current email is considerably older by a number of years than the HIPB alert might suggest.
I cannot be the first person to notice this, so it looks like this looks like some sort of peas porridge aggregation. It is notable that my current details are in the Forbes breach but the LinkedIn details are relatively ancient. I know you do not have a lot to go on for…
1 voteAny known information of relevance is already captured in the description. More on the specifics of the LinkedIn scrape in this thread: https://twitter.com/troyhunt/status/1444420522624749570?s=21
-
Mark the Guntrader breach as Sensitive
The Guntrader breach should not be publicly visible as the severity of that leak comes from it revealing the names, addresses and locations of UK gun owners. Guntrader is a site that is purely used to buy and sell legal firearms in the UK so 99% of those with an account have guns. The UK National Crime Agency are involved at a high level as this breach puts gun owners at high risk of criminal attack and theft of firearms by knowing who has them and where. Unlike some countries the UK has very strictly controlled firearms access and guns…
1 voteI did consider flagging it as sensitive, but there were insufficient reasons to exclude it from visibility. Further, Guntrader themselves don’t deem it necessary to hide the visibility of an email address on their service (see attachment).
-
fix API v3 rate limiting which claims to be per API key
The API v3 rate limiting documentation (https://haveibeenpwned.com/API/v3#RateLimiting) initially claims that the API is rate-limited on a per-API key basis. Reading the fine print, it indicates that the rate limit is actually applied to the IP address. This disconnect leads to immense challenges in working with the API at scale. For example, I bought 7 API key licenses today so that I could work through a very large data set more quickly. However, all of my API keys are working from the same source IP address. So every time your API gets busy, you start blocking me by my…
3 votesThe API is rate limited per key at the Azure API Management level. There are no rate limits per IP address. Usually when I hear a report like this, it’s because someone is inadvertently making too many requests so I’d normally suggest changing the API key (you can do that on the page you registered on), then testing the new key totally independently of your code, for example in Postman.
Closing this “idea” as it’s not an idea, contact me directly if you still have problems: https://www.troyhunt.com/contact/
-
Add credentials API (to check against strong hashes)
HIBP unlike other services like enzoic does not yet provide a way to find matches if the breach data contains medium to strong protected passwords.
To make that passwords searchable without cracking them the API needs to accept the username as input and returns a list of hashes together with meta information e.g. salt and hash algorithm. The client can then for all results use the provided hash algorithm for the password and compare it with the hash from the API result.
security notes:
1. you may want to add a second hash algorithm on top to avoid storing passwords…1 voteThe protection level of the password is not an area I want to get into as it leads to (often incorrect) assumptions about whether a breached password is suitable for use. There’s also no need to increase the strength of the hashing algorithm as it’s only designed to obfuscate the PII that appears in some records.
-
Showing results via Mail
I think it is a matter of privacy what services (that were breached) I used. This site allows me to type in any e-mail I know and to verify whether or not the person did use a special service. It might seem that this information is not too big of a deal, still I'd consider it private. So my suggestion is that the services only sends back a link to the email that shall be checked and provides the results there.
14 votesThe reasons for the current approach are detailed in this blog post: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Document IP addresses and stability for API
Using your API from our environment requires that we update our network egress rules to allow us to reach you.
I can easily see what IP addresses you're using now, but I can't tell how likely these are to change.
Having this documented would help us make better decisions about how - or whether - to use your API.
tia
1 voteI wouldn’t put any rules in place based on IP, just use the domain name(s).
-
Add doxbin.org paste
I search on doxbin.org some email accounts and then i search on haveibeenpwned.org, but it isn't find the paste.
6 votesThis is not a feature suggestion.
-
Add more phone number and email breach
Please add more email and phone number breach. I search on "keepersecurity" and "nortonlifelock email and phone number dark web monitoring" say to me that there is more breach.
6 votesNo plans to do that for the reasons mentioned here: https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/
-
There was an attack on the website https://www.yemeksepeti.com
- Name-surname, date of birth
- Telephone numbers registered with Yemeksepeti
- E-mail registered with Yemeksepeti
- Address information registered with Yemeksepeti
- Masked login passwords with SHA-256 algorithm that are not clearly visible it was stolen. You must add it to this site.
6 votesThis User Voice is for suggesting features for HIBP. If you have data from a new breach, please get in touch with me directly: https://www.troyhunt.com/contact/
-
improvements to domain search for bigger companies
At thousands of employees, the usability of the domain search falls off a cliff. Here's some of the problems I'm seeing and what would improve my usecase significantly.
problems:
1) email and personal data leaks are a spam/phish/identity problem: password leaks are a direct attack liability
2) company has been around for a decade, thousands of employees, list of leaks and affected users by any of the leaks is long and unwieldy
3) constantly investigating users that are no longer activepotential improvements:
1) focus on password leaks as a higher level of leak than just email and/or personal data…3 votesThis really goes beyond the purpose of HIBP and starts to get into the internal triage processes of your organisation. The intention is to provide the data as I’ve been able to obtain it then the consumer works out what to do with it; which ones are serious (it differs by org), which addresses are still relevant (definitely not something I want to track), and what actions have been taken for an individual breach. APIs exist for you to handle this in conjunction with the domain search.
-
Create or Develop an App for this website name as app name called "Have I Been pwned?/HIBP"
Make it easier to trace in phone if someone is trying to pwned you by opening the App, then boom you know quickly already the updates about your account.
3 votesJust bookmark this page (change the address accordingly): https://haveibeenpwned.com/account/test@example.com
-
How to Delete reported pwnage: Good news and Bad ews
make a deletion of these reports if you have seen it already....
3 votesHIBP isn’t intended to track the state of how individual people see and deal with breaches, there are all sorts of problems associated with that.
-
Domain user accounts
As a consultant, I see several companies that use a Microsoft Windows server and that are currently under cyber attack. looking at the userids that they use to try to get in, I think that somewhere there must be a list of existing userids (and passwords and even PC names) that they can use to login to a domain. Would be useful to get that info in hibp. By the way, on checking the domain names in hibp, I never get a verification code sent to security@....
1 voteThis is cage and not really actionable. If you’re not receiving email, you’re almost certainly blocking it.
- Don't see your idea?