General
64 results found
-
I reiceived an email that I'm in the Epik hack, but I have never had an account there so it seems something is off.
I reiceived an email that I'm in the Epik hack, but I have never had an account there so it seems something is off with hibp?
1 voteThe only thing that is “off” is Epik scraping and storing WHOIS data: https://twitter.com/troyhunt/status/1439705567400894464?s=21
-
Erroneous link to v2 API documentation
On page https://haveibeenpwned.com/PwnedWebsites the link on the sentence "These are accessible programmatically via the HIBP API" still redirects to the deprecated v2.
1 voteHey, good find! Thanks very much, fixed in source, I’ll push it out with the next release.
-
API access: Recurring yearly payment
This would help us alot as a company. Doing monthly bill mapping with a corporate creditcard is not working for us :-)
This is coming soon! Announcement and details here: https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/
385 votesThis is now complete! Read all about it here: https://www.troyhunt.com/the-have-i-been-pwned-api-now-has-different-rate-limits-and-annual-billing/
-
Create different pricing for different rate limits
Right now there is a 1.5-second delay time b/w request, which is a long delay wait-time for us.
Currently, we have to thread multiple API keys together to decrease the rate limit, though we'd rather only have to use one and pay a bit extra.
It would be very helpful if we could pay extra to have a lower rate limit (e.g. think tiers for rate limits maybe?)This is coming soon! Announcement and details here: https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/
119 votesThis is now complete! Read all about it here: https://www.troyhunt.com/the-have-i-been-pwned-api-now-has-different-rate-limits-and-annual-billing/
-
Offer a direct link to an account's breaches
It would be helpful if we could directly link to an account's breaches info.
For example, using an URL like https://haveibeenpwned.com/#example%40example.com to directly open the pwned information for example@example.com.
This would make it easier to integrate HIBP into other products without having to recreate the whole pwned information webpage.
1 voteIt already does this: https://haveibeenpwned.com/account/test@example.com
-
Test accounts that always return the same results
For unit testing purposes, to be able to be certain that the data from HIBP is parsed and stored in the application correctly.
1 voteGreat idea! I already had all the accounts set up, I’d just never documented them. That’s now up here: https://haveibeenpwned.com/API/v3#TestAccounts
-
Add API search for telephone number
The current API allows the list of pwned accounts (email addresses and usernames) to be quickly searched via a RESTful service.
Can you add the phone number search (based on your portal search for Facebook breach)?
1 voteIt already does this.
-
to make a list of pwned apps or websites from old to new so that it wouldn't be hard for us to scroll down-scroll own to the pwned things.
make a button for List Of Pwned Apps/Websites, then add summary of each Pwned A/W.
1 voteThis already exists: https://haveibeenpwned.com/PwnedWebsites
-
Add an option to search breached accounts through a username
And it could work that if there are multiple accounts using the same username then you for example can choose the one that's yours
1 voteHIBP already has this construct: https://www.troyhunt.com/searching-snapchat-data-breach-with/
But it’s very rarely used as usernames are difficult to parse out, not unique to an individual and almost always accompany email addresses which can more reliably be searched.
-
Search by email address domain?
I have my own domain with a catch-all service. Every website I register get's a different mail address which makes it easier to block addresses that receive spam (after a leak) and to check if the sender is really the sender. Checking each mail address individually is time consuming, can I somehow check all mailaddresses ending with my specific domain?
1 voteTry the domain search link on the website.
-
automatation / ml / nlp for surfacing "sensitive" breach
Curious about your thoughts on using some sort of automation / aggregation / ML to help classify what constitutes a "sensitive" breach, and also what the most up-to-date state of "sensitive breach" classification logic is.
Would also be great to have an easy-to-find and up-to-date list of what those sites are.
1 voteThis is already available on the website under the breach description here: https://haveibeenpwned.com/PwnedWebsites
Or via the API here: https://haveibeenpwned.com/API/v3#AllBreaches
-
top list of worst passwords.
Not sure how prevalent very popular passwords are, so Id suggest if possible, it would be a real nice feature to see the worst offenders in order of most reused.
For instance "password", is its millions of instances actually #1 or is something else more prevalent?
Seeing the worst of the worst in terms of commonality/instances of use would be a nice tool for average users to gauge just exactly how bad that "Password1!" workaround really is.
1 voteTry this list from the NCSC: https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
-
Being able to clear the history of breaches.
I would love to be able to clear the breached websites that my email adress has. I think this would be a great addition to the opt-out feature.
1 voteThis is pretty much what one of the opt-out options already does: “delete all data breaches against my email address”.
-
Cannot do payments from debit card for one time.
You should add debit cards also in payment and upi.
1 votePayment via debit card is already supported.
-
Opt-in / Change opt-out type
It would be great to add opt-in / change opt-out type after user opted-out. For example, I started using 1password, so I would like to switch from "visible just to me" to "delete all previous breaches" so that I can get notification in 1password, resolve it and then "delete all breaches" again.
3 votesYou can already do this, just opt out again.
-
Provide further evidence to validate how secure this site is
Given the fact a lot of users who come to this site may already be "super" worried about putting their email address "anywhere" online due to the fact they will have come to this site pretty much following a data breach story and / or because their own account has been compromised, without giving too much away to those that like to hack, would very much appreciate a way in which you could prove an email address is not stored for a user to feel relieved / happy they can use your site confidently and enter an email address.
I…
1 voteI honestly can’t see what more I can do beyond what’s already here: https://haveibeenpwned.com/About
Beyond that, all I can add is “don’t share anything with a service you don’t trust” 🤷♂️
-
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
1 voteUpdated the FAQs today, have a look at the first one here: https://haveibeenpwned.com/FAQs
-
Allow CSIRTs to be able to monitor their constituents domains
CSIRTs use to monitor their customers domains in order to warn them about potential breaches, vulnerabilities and incidents related to them. It should be good to allow CSIRTs covering a large constituency (like national CSIRT, industry CSIRTs, Academic CSIRTs) to be able to monitor their constituents domains by accessing the info in a convenient way (by signing, for example, an NDA, compromise, etc)
1 voteThis is already possible via Enterprise services, get in touch for more: https://www.troyhunt.com/contact/
-
V5 files contain seeded hashes?
The latest V5 password files sorted by hash come up negative with all tested passwords. It looks like the hashes are seeded or non-standard. This applies to both SHA1 and NTLM files of version V5.
1 vote -
Add search passwords by a hash value
Let users use pre-generated hash values to search. Yeah, I know you calculate hashes of typed passwords on a client side, but some people still prefer not to type their password on 3rd party sites.
25 votesWell and truly done an available here: https://haveibeenpwned.com/Passwords
Docs for k-anonymity: https://haveibeenpwned.com/API/v3#PwnedPasswords
- Don't see your idea?