General
71 results found
-
Opt-in / Change opt-out type
It would be great to add opt-in / change opt-out type after user opted-out. For example, I started using 1password, so I would like to switch from "visible just to me" to "delete all previous breaches" so that I can get notification in 1password, resolve it and then "delete all breaches" again.
3 votesYou can already do this, just opt out again.
-
Provide further evidence to validate how secure this site is
Given the fact a lot of users who come to this site may already be "super" worried about putting their email address "anywhere" online due to the fact they will have come to this site pretty much following a data breach story and / or because their own account has been compromised, without giving too much away to those that like to hack, would very much appreciate a way in which you could prove an email address is not stored for a user to feel relieved / happy they can use your site confidently and enter an email address.
I…
1 voteI honestly can’t see what more I can do beyond what’s already here: https://haveibeenpwned.com/About
Beyond that, all I can add is “don’t share anything with a service you don’t trust” 🤷♂️
-
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
Please. could you explain whats the meaning of "pwned" in English?, because y cant't find it in any english dictionary.
1 voteUpdated the FAQs today, have a look at the first one here: https://haveibeenpwned.com/FAQs
-
Allow CSIRTs to be able to monitor their constituents domains
CSIRTs use to monitor their customers domains in order to warn them about potential breaches, vulnerabilities and incidents related to them. It should be good to allow CSIRTs covering a large constituency (like national CSIRT, industry CSIRTs, Academic CSIRTs) to be able to monitor their constituents domains by accessing the info in a convenient way (by signing, for example, an NDA, compromise, etc)
1 voteThis is already possible via Enterprise services, get in touch for more: https://www.troyhunt.com/contact/
-
V5 files contain seeded hashes?
The latest V5 password files sorted by hash come up negative with all tested passwords. It looks like the hashes are seeded or non-standard. This applies to both SHA1 and NTLM files of version V5.
1 vote -
Sort pwned sites by date
HI Can you sort pwned sites by date rather than alphanumeric - most recent discoveries first?
66 votesThis is now avialable in the new website we just launched: https://haveibeenpwned.com/PwnedWebsites
-
Add search passwords by a hash value
Let users use pre-generated hash values to search. Yeah, I know you calculate hashes of typed passwords on a client side, but some people still prefer not to type their password on 3rd party sites.
25 votesWell and truly done an available here: https://haveibeenpwned.com/Passwords
Docs for k-anonymity: https://haveibeenpwned.com/API/v3#PwnedPasswords
-
Fix Table of Response Codes within API v3 Documentation
Can you please insert the following into https://haveibeenpwned.com/API/v3#ResponseCodes
- 503 "Service Unavailable" from https://haveibeenpwned.com/API/v3#RateLimiting
- 401 "Unauthorized" from https://haveibeenpwned.com/API/v3#Authorisation3 votesGood points, now implemented in source and will be pushed out publicly soon
-
Fix "Pwned Passwords" Two APIs Sentence in Documentation
Please remove "It's also queryable via the following two APIs:" from https://haveibeenpwned.com/API/v3#PwnedPasswords please as the first API is deprecated?
3 votesFixed in source and will go out with the next release
-
haveibeenpwned.com/api
I now get this"You have been blocked from accessing this resource on Have I Been Pwned" when using the URI for account checking. I tried it on 3 systems (IPs) and get the same result
https://haveibeenpwned.com/api/v2/breachedaccount/test@test.com?truncateResponse=true
Is this because of the test@test.com?
1 voteIf you’re accessing the API, make sure you adhere to the requirements, particularly around the UA string: https://haveibeenpwned.com/API/v2#UserAgent
-
Allow viewing of one pwned website at once
On the Pwned Websites list (https://haveibeenpwned.com/PwnedWebsites), there is no way to link to a specific site. This could be done easily in two ways:
1) Give each pwned website its own page (e.g. https://haveibeenpwned.com/PwnedWebsites/Verifications-IO) that just gives that website's description.
2) Add an anchor link to each pwned website's header so we can deep-link directly to one site.
Ideally both could be done, and should be relatively easy (I think).
The reason I want this is that I monitor our corporate network for any corporate accounts that are included in breaches, and let people know about them.…
1 voteSo this was always possible (each breach has an anchor that can be linked to), but there wasn’t an easily clickable reference. I’ve just added a permalink under each breach description which should make this easier. It’s now deploying, let that finish and allow cache to flush and it’ll be good.
-
Add support for NTLM(MD4) hashes to enable Active Directory auditing
I wanted to use the list to check existing Active Directory (AD) passwords against this wonderful HIBP list, but the problem is that neither the API nor the offline list support MD4 hashes (AKA NT one-way function or NTLM hash) that are stored in AD databases (together with salted SHA1 and MD5, which therefore cannot be precomputed).
Would it please be possible to also add support for this (weaker) type of hashes? It would be great to have them available at least through the API and ideally also in a downloadable form.
30 votesThis was completed last year, I just forgot to update the status!
More here: https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/
-
Add domain search capability to the API functions
I've been subscribing to the alerts for breaches related to our corporate domain, which is fantastic, but now that we have Splunk in house, I was hoping to connect directly to the API from a forwarder.
269 votesIt's now live! Thank you all for supporting this idea, enjoy: https://www.troyhunt.com/welcome-to-the-new-have-i-been-pwned-domain-search-subscription-service/
-
Search by phone number
It would be neat if you could test for pwned accounts searching by phone number. Some utility companies know my phone number but not my email.
280 votesHere’s the background on what’s been done: https://www.troyhunt.com/the-facebook-phone-numbers-are-now-searchable-in-have-i-been-pwned/
-
51 votes
This is now done! Both the top 10 biggest and the 10 newest are now on the front page.
-
Have a FAQ that explains breached passwords to users in easy to understand language
It would be nice if we had a FAQ that we could link to when checking a password against hipb, when a password is found in the list to explain to users what this means in simple terms. E.g. The password you've chosen was found in a list of passwords that have been hacked from a website in the past. We highly recommend not using such a password anywhere because it means that your account's security is extremely weakend. For more information, please read [some more detailed FAQ]
1 voteGreat idea, done! Try this: https://haveibeenpwned.com/FAQs#PwnedPasswordFound
-
Add potential causes for the 503 response.
A 503 response is given for a single query to the breached account api, but not the pwnedpassword api.
1 voteI’ve just added into on the 503 status here: https://haveibeenpwned.com/API/v2#RateLimiting
Per the existing documentation, there are no rate limits on the Pwned Passwords API.
-
Fix this bug: Different results of same e-mail
When I check my e-mail using the website https://haveibeenpwned.com/ it shows "Good news — no pwnage found!".
Then I clicked on "Notify me when I get pwned". I received an e-mail with an URL to confirm and, when I click this url, it opens the same site showing "Already verified" but right below "Oh no — pwned!" with one specific site that makes sense.
1 voteYou’re seeing a result when you click the verify link that’s been flagged as “sensitive”. It’s likely an adult website – these are not shown for public searches of an address.
-
Use javascript front-end that converts password to hash on client before sending across web
To mitigate the risk of sending passwords as straight text over the web to your site, could you not have client-side javascript that converts the password to the SHA1 hash and send the hash to be checked?
3 votesThe pwned passwords page already does this.
-
Add a link to the site explaining what to do when you are a victim of data breach.
My email address poped up as being part of a breach. What are the next steps?
* void the respective accounts?
* Just change the password?
* Other options?It would be nice just to have a link to some mitigation actions for present and also for the future.
Thanks for the effort put on this site
97 votesI’ve just implemented this by virtue of the 1Password partnership blogged about here: https://www.troyhunt.com/have-i-been-pwned-is-now-partnering-with-1password/
- Don't see your idea?