General
56 results found
-
Have a FAQ that explains breached passwords to users in easy to understand language
It would be nice if we had a FAQ that we could link to when checking a password against hipb, when a password is found in the list to explain to users what this means in simple terms. E.g. The password you've chosen was found in a list of passwords that have been hacked from a website in the past. We highly recommend not using such a password anywhere because it means that your account's security is extremely weakend. For more information, please read [some more detailed FAQ]
1 voteGreat idea, done! Try this: https://haveibeenpwned.com/FAQs#PwnedPasswordFound
-
Add potential causes for the 503 response.
A 503 response is given for a single query to the breached account api, but not the pwnedpassword api.
1 voteI’ve just added into on the 503 status here: https://haveibeenpwned.com/API/v2#RateLimiting
Per the existing documentation, there are no rate limits on the Pwned Passwords API.
-
Fix this bug: Different results of same e-mail
When I check my e-mail using the website https://haveibeenpwned.com/ it shows "Good news — no pwnage found!".
Then I clicked on "Notify me when I get pwned". I received an e-mail with an URL to confirm and, when I click this url, it opens the same site showing "Already verified" but right below "Oh no — pwned!" with one specific site that makes sense.
1 voteYou’re seeing a result when you click the verify link that’s been flagged as “sensitive”. It’s likely an adult website – these are not shown for public searches of an address.
-
Use javascript front-end that converts password to hash on client before sending across web
To mitigate the risk of sending passwords as straight text over the web to your site, could you not have client-side javascript that converts the password to the SHA1 hash and send the hash to be checked?
3 votesThe pwned passwords page already does this.
-
Add a link to the site explaining what to do when you are a victim of data breach.
My email address poped up as being part of a breach. What are the next steps?
* void the respective accounts?
* Just change the password?
* Other options?It would be nice just to have a link to some mitigation actions for present and also for the future.
Thanks for the effort put on this site
97 votesI’ve just implemented this by virtue of the 1Password partnership blogged about here: https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/
-
Add a FAQ explaining what it means when a USERNAME that IS an e-mail address, appears on a Web site that you have never used.
There is a FAQ explaining that a non-email userid can appear as a breach from a site that you have never used, because of collisions (others reusing the same e-mail address). I have an e-mail address that I have used for 20 years, which shows up in the MYSPACE and also the BITTORRENT FORUM breaches. I have never used either of these sites. A FAQ saying how this is possible would be welcomed.
1 voteGreat suggestion! Done: https://haveibeenpwned.com/FAQs#UnknownService
-
Add more leak source
Add more leak source :
- https://twitter.com/pwnagemon
- https://twitter.com/d2dedwad26 votesJust added these to the list HIBP consumes from: https://twitter.com/haveibeenpwned/lists/paste-sources
Lot of redundancy with existing sources, but provides some resiliency if one of them is down. Thanks!
-
Explicitly state the email address that the notification is referring to.
If you're forwarding emails from a bunch of other addresses it can be awkward to work out which address is involved in the breach. Explicitly stating the email address in the notification would make this easier.
8 votesThis has now been completed and will be included in all future breach notiifcations
-
API option to only return whether an account is breached or not
At the moment when querying an email address, the names of the sites breached are returned, in some circumstances this may not be desirable due to local legislation. Is it possible to have an API option to return whether an account has been involved in a breach or not rather than names of breached services?
1 vote -
Include email address in email correspondance when registering
I have registered several email addresses that I own and that results in a registration email and summary page for each one.
It's not possible to see in the email body, or on the summary page, which email address they belong to. This is especially tricky with my Exchange inbox which has several email aliases.
13 votesGood suggestion, done!
-
Don't Just Tell Me That SOMEONE In My Domain Has Been Pwn3d, Tell Me Who
I got an email, this morning, from HIBP, that someone on one of my domains had their account hit in the linkedIn hack, but the address was not listed in the email. It would be nice to know who that was, instead of having to test every single address in this domain to find out.
1 votePer the comment here, follow the link in the email received to run another search. Impacted addresses are never sent via email for privacy purposes.
-
Allow users to remove entries associated with their email address from the database
Or give folks the option to hide their own results from the larger public. As currently configured, the site makes information that is otherwise only available on the darkweb (e.g., saliently, that you were an AdultFriendFinder user) readily accessible to anybody with an internet connection.
This would only really make sense for pwned email addresses, since there would be no easy way to prove you are the owner of a given account otherwise.
64 votes -
Add sprashivai.ru breach
Website with questions with high popularity in Russia 'sprashivai.ru' (clone of formspring.me and so on) has been breached recently.
https://vk.com/wall6492_5205 (in russian)
http://tjournal.ru/p/sprashivairu-passwords-leak (in russian)(I don't know where to get data)
1 voteGreat tip! The data is now live on the site.
-
Include RAT and Keylogger logs.
Including things like this (http://pastebin.com/4fJAYTRt) would be a good addition to those who have been infected and do not know about it.
1 voteAlready implemented in the paste service.
-
Add breaches that may be hoaxes, but make it clear!
Often there are "breaches" which turn out to be hoaxes. On the one hand, having only verified breaches in the system is important in terms of confidence in the data but on the other hand, people still want to know if their email address is circulating in a hoax breach.
This feature would need to indicate that the breach has not been verified and may be a hoax. It's also important that it wouldn't just automatically appear in results returned by the API, rather it could be requested by passing a parameter to the API such as "IncludeUnverifiedBreaches=true" where the…
9 votes -
Enable a web hook for a callback when an account I'm monitoring is pwned
At present, notifications can be set up for when an individual address is pwned or when an address on a domain someone is monitoring is pwned. This idea is to programatically enable calling an HTTP endpoint when this event occurs.
The benefit of this idea is that developers can then implement their own logic which is automatically invoked when an event like this occurs. It's of most value to those monitoring domains where notifications are no a rare occurrence, particularly when we're talking about larger domains.
12 votesThis is now complete and is documented here: http://www.troyhunt.com/2015/07/have-i-been-pwned-goes-little-bit.html
- Don't see your idea?