General
189 results found
-
Question: any way to opt-out a closed e-mail account address?
I asked to opt-out an e-mail address, but since I closed the e-mail account (it's already a year since) I find difficulty in confirming the verification e-mail. Any alternative thing I can do to try to block the e-mail address from showing in this site? Thanks!
1 vote -
located source of a paste
I was informed that my email was on a paste AE4dYZG1.txt 6 Jan 2019 involving 3091 accounts.
The source of this breach is www.netpricedirect.co.uk.1 voteThank you. Closing here as it’s not a feature request.
-
Provide database dump for hashes of email address for offline download
This can be very useful for companies to verify if their users (non-staff) are affected by any breaches and inform them to not share password for different systems. I'm residing in EU, GDPR doesn't allow us to send email to your API to check if a particular email address appear in any breach.
1 voteThis would enable anyone to download everyone’s data. Hashes may be cracked which would allow for mass enumeration of emails in a breach. There is no provision in GDPR which prohibits an EU data subject from searching for their email address via the online service.
-
I'm getting an "Oh no catastrophic failure" message repeatedly for one password in particular - I'd like to understand what that means.
I'd like to understand what the "Oh no catastrophic failure" message actually means.
1 voteInsufficient information to reproduce
-
Domain Verification - Not received after several tries.
Verification token sent An email containing a verification token has been sent off to the address you chose, just copy................
Kindly help for fix.
For your note:
1. Domain not blocked in mail server
2. haveibeenpwned domain - whitelisted
3. message header not found in mail server inbound logs1 voteUser voice is for submitting new ideas so I’m closing this one out. Make sure your mail server is allowing messages from noreply@haveibeenpwned.com
-
... make it easy to see what data are associated with a breach for a given account.
The mere fact of a breach means very little if the associated website or other details are not findable. (I have to admit I have no idea whether the API addresses this, but I have no idea how to use it anyway.)
HPI gives heaps of info: Affected Service Date Verified Password First and last name Date of birth Address Telephone number Credit card Bank account details Social security number IP Address
Am I missing something?
This should be emailable to the account holder in the same way, I would have thought.1 voteThere’s two important comments on this:
Firstly, HIBP describes the data classes that were exposed. If it says “email addresses and phone numbers”, for example, then your email address and phone number were almost certainly in the breach. The vast majority of the time, this is the data you gave the website.
More importantly though – and the reason for closing this as “declined” – is that it’s just too great a risk to store this information. Often the data is extremely personal and it was also often improperly secured in the first place. For example, plain text passwords, something I would never consider storing in my system.
So in short, the risks are too great and the benefits are minor given it’s data you’ve normally already provided yourself anyway.
-
Include leaked password
You very kindly just sent me an email that my email address and unsalted password were included in the 2012 LinkedIn breach.
I can't remember which password I was using in 2012, and hence don't know which other accounts need a password change. Could you send the leaked hash (or otherwise, depending on the breach) to the effected email?
3 votesThis presents too many risks, more info here: https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-passwords-available-via-have-i-been-pwned/
-
Add Retry-After to Access-Control-Expose-Headers
When hitting a 429 response, a cross-origin request does not have access to the Retry-After header.
3 votesIf the 429 is raised by the origin web server, you’ll get a retry-after. If you’ve been absolutely hammering the service and Cloudflare steps in and rate limits, you won’t get a retry-after from them.
-
API for recommending to allow/forbid a specific credential set.
Perhaps as a premium service, allow a caller to post an email / password combination. HIBP responds with a recommendation on whether to allow the user to use that password on caller's system. Known pwn'd combinations would always recommend "forbid", as well as perhaps forbidding any password in the top % of pwn'd passwords by frequency.
The end goal is giving system owners a way to steer users away from not only weak but also repeat & known-compromised credentials. I understand that data extraction would be a concern, thus the "premium" service suggestion.
3 votesI understand the ask, but I definitely don’t want to store credential sets in any way, it just poses too great a risk for users and myself alike.
-
when I enter capital letter in domain name it is not working. Please make it case sensitive
when I enter capital letter in domain name it is not working. Please make it case sensitive
1 voteDomain searches definitely aren’t case sensitive, add specific details if you believe it’s not working with a particular name.
-
Mark ArmorGames as confirmed pwned
I use unique email address per subscriber, and I suddenly started receiving spam on the email I used to signup for armorgames.
They are not trustworthy. -- this is not an idea, but saw that you have listed them as unconfirmed, I can confirmed my data was leaked from their site --
1 voteIt’s the combination or Armor Games and Coupon Mom together which means this breach is unverified; I can’t emphatically say which addresses are from which service.
-
1 vote
There was no Twitter breach, they inadvertently logged passwords to an internal system and there’s no evidence they were ever obtained by an unauthorised party.
-
Add possibility to get total count of leaked emails for specific domain through API
Possibility of getting count of total emails addresses leaked for specific IP is very useful due to problems of exporting the data for domain search when there real many emails. In my case happened that after export if showed only "Pastes" database and no other leaks. I have checked some email addresses from exported CSV list and through online database, results were not the same.
And if total count for domain will be available, it will be much easier to compare results and see the differences, also such information can be useful for online threat intelligence platforms.3 votesA count alone won’t do much good, people want to know who was impacted in the breach. Plus, you already get a count at the top of the search page or can look at the rows in the CSV.
Separately to this, if the results you’re seeing aren’t accurate, just check it’s not due to public searches not showing sensitive breaches.
-
Bring back sorted hashes
I used to lookup password hashes by a binary search in the sorted password list (iterating over the initial database and the 2 updates).
With the new database 2.0 this is no longer possible (unless I sort the downloaded hashes).
Please bring back the sorted hashes.
I do not care for the counts that have been added - perhaps another file with sorted hashes and without counts (to somewhat reduce the file size) could be offered for download?
1 voteI’m trying to avoid having multiple versions of the same thing, I suggest that if a different order is important you just do a one-off reordering of the file.
-
Notification before loading breach onto Azure
In the past I have recreated the Maltego Graph of all breached sites/names and domains and when I have pushed this to GitHub another breach has been loaded on the same day by a tweet from https://twitter.com/haveibeenpwned
Can you publish a counter estimating when the next series of breaches will be made available?
I understand that breaches may be loaded concurrently and/or urgently, etc. Neither am I asking for you to publish the name of the website that you are confirming has been breached, etc
3 votesThere’s nowhere near enough predictability to do this, just monitor the breaches API and you’ll know as soon as a new one is there.
-
3 votes
This is already supported here: -https://haveibeenpwned.com/OptOut
-
What is LogoType?
Can you describe what the intended use of the LogoType field in the Breach object is? I can't find anything in the API docs that describes the field. I know what SVG and JPG are, but to what do they refer? Do you have (or plan to have) an API that will return a logo for the name of a breach? I can see from the source of your web pages that you have that data in the content folder
1 voteThis is intentionally undocumented and will be replaced by a formally documented alternative in the future.
-
URI for "Pwned Password"
Can you add an enhancement to https://haveibeenpwned.com/Passwords which is https://haveibeenpwned.com/Passwords/[Password/SHA-1] similar to the "account" URI such as https://haveibeenpwned.com/account/christian.heinrich@cmlh.id.au please?
3 votesAll endpoints that allow searching by individual email address or complete hash are slated for deprecation, use the range search instead.
-
explain in the FAQ why a mail address (mine!) appears as hacked in your tool, but the associated password is not listed as hacked?
Does it mean that the e-mail adress was hacked, but that the associated password was not decrypted? If not, why the password is not found in your database? Thanks.
1 voteHIBP does not store passwords.
-
Not very smart features
I've changed my password but my mail remain in the list. When my account will be "pwned" again, I will not know about it.
1 voteHIBP is a reflection of which emails were breached in which systems and is not designed to track what changes are made to an account post-breach.
- Don't see your idea?