Skip to content

General

← Customer feedback for Have I Been Pwned

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

229 results found

  1. Instagram 2023 massive hack

    Ok so on January 2023 there was a massive hack on Instagram where the hacked user wants to put the unknown email on the victim's profile to "recover their spam page" , and after that, the victim gets hacked.

    And also, some hacked users wanted your Bank account to recover some gift cards and instead of returning your money, the hacked one steals your money.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    Please see the description on the front of the UserVoice page:


    Hi, welcome to the UserVoice for HIBP! Please keep this service focused on feature suggestions. At this time, I'm not able to service support queries. If there's a data breach you'd like added and you have access to the data, please get in touch with me privately. Posting here and asking for a breach to be added doesn't provide anything actionable and the idea will be declined and closed.

  2. Better way to cancel subscription

    For whatever reason, I am not receiving emails for the API Key subscription service. I have verified that noreply@haveibeenpwned.com is on the trusted senders list, is not on the blocked senders list, and have made sure the emails aren't going to junk. Unless Microsoft is blocking emails intentionally, I am not able to cancel my subscription to the API key which I no longer need (switching companies very shortly).

    Please provide a better/easier way to cancel API keys.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    2 comments  ·  Admin →

  3. GDPR

    Dear Troy,

    From the GDPR standpoint, you are in total breach and anyone that is using your service on a large scale is in breach.

    The reason is that GET instead of POST. You should NOT ask your users to submit emails by using GET but ONLY by using POST.

    Because you are using GET, ALL email addresses remain the the Cloudflare loggers and who knows what other server loggers.
    Please switch it to POST!

    Thank you for this kool service!
    Too bad that rate limiting to 1.5 seconds does not help us to deliver a service for companies based…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    From a data protection perspective (regardless of which local regulation you choose), the issue is not GET versus POST (or any other verb), the issue is where the data passes through and if it's retained. Cloudflare logs are highly transient, as are the Azure Storage logs when the underlying data structure is queried. GET is the semantically correct verb for retrieving an entity and there are a whole bunch of reasons why it makes more sense, including being able to share a link like this: https://haveibeenpwned.com/account/test@example.com


    As for the rate limit, vote on this idea, it's coming 🙂 https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/39837802-create-different-pricing-for-different-rate-limits

  4. Please reconsider posting data of the Optus hack, their competency to notify us of what info has been shared we do not trust.

    Please reconsider posting data of the Optus hack. The competency of Optus has been lacking and we do not trust them to notify us of what info has been shared. People who have questioned the information have received different results between contacting them and the emails sent out. Additionally, Virgin mobile whos customers were Optus, their data was included in on this hack can doubly expose users.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  5. partner with other sites, for example hackcheck.io

    Merge APIs, More results, More Support, Etc

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  6. top 1 million by prevalence

    I was thinking that you could help us host the database by offering top X by prevalence. One could then host the database within the enterprise. My simple test showed
    470K Mar 4 04:32 10K.txt
    45M Mar 4 04:31 1M.txt
    9.0M Mar 4 04:46 200K.txt
    16M Mar 4 04:48 345K.txt
    18G Jan 21 05:42 pwned-passwords-sha1-ordered-by-count-v8.7z
    The interesting part is that the prevalence dropped to below 500 at 1M records. SQLite was able to load this into a 155M database which we can easily host ourself.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Admin →

  7. Yandex Eda etc leaks from itarmy.to

    Add Yandex Eda and CDKK leaks from itarmy.to

    Lots of Russian users got their addresses and other very private information revealed, including many from the opposition.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  8. Add database of passwords longer than 8 characters

    With the new NIST guideline of 8 character minimum password length, it would be useful to have a database of only passwords 8 characters or longer. My assumption is that this would reduce the size of the database significantly.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Admin →

  9. Confused by Gravatar notification

    You tell me that one of my accounts have been Pwned through the Gravatar scrape - but i've never used it or any of the associated companies mentioned. So how would my email even be on there? And, if it is, I can't see how it could have any personal data of mine attached. Thx

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  10. have a way to mark all "breaches" as "rectified" when you changed the pasword.

    We all change our pw frequently... it's hoped,

    so have a way to grade the leak to "critical" before you update the pw for that breach. but then mark it as rectified after the pw is changed

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  11. Clarify "<p>" within the "Title" Field of "Regler" Paste

    The relevant JSON returned from https://haveibeenpwned.com/api/v3/pasteaccount/test@example.com is quoted below:

    {
    "Date": null,
    "EmailCount": 627,
    "Id": "https://underground-revolution.eu/hacked/networkgaming_2013_04_16.sql",
    "Source": "AdHocUrl",
    "Title": "Regler.<p>"
},

    Can you please clarify the inclusion of the "<p>" from "Title" field or if not needed please remove "<p>" from the "Title" field?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Admin →

  12. Add the recent 500K password breach for Fortinet VPNs

    With the recent revelation of the 500K+ passwords that were scraped from Fortinet VPNs all over the world, it would be of incredible value to be able to check if several deployments were caught up in the breach (by checking a few usernames). Thanks for the great work!

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Admin →

  13. Add a 'AddedDate' field for pastes

    With the current API, for the paste model it is mentioned that the paste date is only included if it is known, and that this value may be null.

    Can you please consider adding a 'date reported' field to the paste model, which would simply be the timestamp of when a given breach is reported by HIBP. That would give a usable reference point as to the possible age / currency of the paste, in the event that the regular date value isn't known.

    This would also be consistent with the breach model in the API, that differentiates between 'BreachDate'…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Admin →

  14. Link Breach Lawsuits

    Link all verified mediums that one can access to join or create a class-action lawsuit/claim related to a data breach.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  15. The email addresses (2) in the LinkedIn leak are email addresses that I’ve never used on LinkedIn, but on GitHub.

    Are we sure this is a simple scraping leak? Or is something else going on here? Given Microsoft owns the two services, could it be more problematic than we think it is?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  16. Note where aggregation is suspected.

    So I've just been notified about the LinkedIn "scrape" and have verified that my data predates the Forbes breach. I have used multiple emails for LinkedIn over the years, and my current email is considerably older by a number of years than the HIPB alert might suggest.

    I cannot be the first person to notice this, so it looks like this looks like some sort of peas porridge aggregation. It is notable that my current details are in the Forbes breach but the LinkedIn details are relatively ancient. I know you do not have a lot to go on for…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →

  17. Mark the Guntrader breach as Sensitive

    The Guntrader breach should not be publicly visible as the severity of that leak comes from it revealing the names, addresses and locations of UK gun owners. Guntrader is a site that is purely used to buy and sell legal firearms in the UK so 99% of those with an account have guns. The UK National Crime Agency are involved at a high level as this breach puts gun owners at high risk of criminal attack and theft of firearms by knowing who has them and where. Unlike some countries the UK has very strictly controlled firearms access and guns…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    0 comments  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    I did consider flagging it as sensitive, but there were insufficient reasons to exclude it from visibility. Further, Guntrader themselves don’t deem it necessary to hide the visibility of an email address on their service (see attachment).

  18. fix API v3 rate limiting which claims to be per API key

    The API v3 rate limiting documentation (https://haveibeenpwned.com/API/v3#RateLimiting) initially claims that the API is rate-limited on a per-API key basis. Reading the fine print, it indicates that the rate limit is actually applied to the IP address. This disconnect leads to immense challenges in working with the API at scale. For example, I bought 7 API key licenses today so that I could work through a very large data set more quickly. However, all of my API keys are working from the same source IP address. So every time your API gets busy, you start blocking me by my…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    1 comment  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    The API is rate limited per key at the Azure API Management level. There are no rate limits per IP address. Usually when I hear a report like this, it’s because someone is inadvertently making too many requests so I’d normally suggest changing the API key (you can do that on the page you registered on), then testing the new key totally independently of your code, for example in Postman.

    Closing this “idea” as it’s not an idea, contact me directly if you still have problems: https://www.troyhunt.com/contact/

  19. Add credentials API (to check against strong hashes)

    HIBP unlike other services like enzoic does not yet provide a way to find matches if the breach data contains medium to strong protected passwords.

    To make that passwords searchable without cracking them the API needs to accept the username as input and returns a list of hashes together with meta information e.g. salt and hash algorithm. The client can then for all results use the provided hash algorithm for the password and compare it with the hash from the API result.

    security notes:
    1. you may want to add a second hash algorithm on top to avoid storing passwords…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    2 comments  ·  Admin →
    declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded

    The protection level of the password is not an area I want to get into as it leads to (often incorrect) assumptions about whether a breached password is suitable for use. There’s also no need to increase the strength of the hashing algorithm as it’s only designed to obfuscate the PII that appears in some records.

  20. Showing results via Mail

    I think it is a matter of privacy what services (that were breached) I used. This site allows me to type in any e-mail I know and to verify whether or not the person did use a special service. It might seem that this information is not too big of a deal, still I'd consider it private. So my suggestion is that the services only sends back a link to the email that shall be checked and provides the results there.

    14 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    You have left! (?) (thinking…)
    3 comments  ·  Admin →
1 3 5 11 12
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base

(thinking…)