General
215 results found
-
Add as a FAQ how Pwned Passwords aligns with Google's new Safety Check
Google now detects some email / password combo breaches. Google doesn't have any more detail on when / what / where. What might explain any difference w Pwned Passwords?
3 votesTotally different services, I’m unsure whether Google uses and data from HIBP or just sources it all themselves.
-
Option to return "no breaches found" in json body, rather than simply a 404 status
It would be good to be able to return something in the json body when no breaches are found for an account.
A parameter to enable this message would be great.
I'm working with a 3rd party software to pull data, and doesn't expose the status in an accessible way.(I would have thought a 204 status would have made more sense?)
1 voteHTTP 404 is the semantically correct response code, there’s no reason to include anything further in the body. Sounds like a deficiency with the product you’re using if it’s unable to interpret response codes correctly.
-
Have I Been Pwned API to get breached password list
The official page of “Have I Been pwned” (https://haveibeenpwned.com/Passwords) is showing anomaly behavior for checking breached password. For the same password being used, it returns different results. Sometimes it shows that the password has been breached and when I try it again with the same password, it shows the password has not been breached. I tried this with the password “Password1.”.
Also, its API (Searching by range, which I have used with my java project) does not signify that the password "P@ssw0rd123" was breached, but its website https://haveibeenpwned.com/Passwords shows that this password was breached.
Could you please make…
1 voteThis is a bug report, not a feature request, and it’s a duplicate of what you’ve already emailed me and I’ve already responded to.
-
i pressed the wrong option when opting out so i wish we were allowed to opt out, i try again but it says i cant.
i opted out using the wrong option and it still says ive been pwned so im suggesting theres an option to opt out a different way even if you already opted out. everytime i try to opt out again i get the same email telling me i cant.
1 voteThis suggestion fundamentally undermines the entire premise of opting out in the first place!
-
Filter known breaches and pastes in the API
It would be nice if we could pass a set of breach names into the https://haveibeenpwned.com/api/v3/breachedaccount and a set of paste data into https://haveibeenpwned.com/api/v3/pasteaccount and have them only provide results for the breaches and pastes not on the list, basically something like ?exclude=thing1,thing%20two for breachedaccount and something like ?exclude=%7B%22PasteBin%22:%20[%22123%22,%22456%22],%22Pastie%22:%20[%22abc%22]%7D for pasteaccount.
3 votesThat sounds like something you could easily filter on the client end: request the data for an account then remove all items that don’t match what you’re looking for. There’d be no performance benefit doing it on the HIBP end as the query presently just picks up an entity (the account being searched for) and returns it in its entirety.
-
Fix QuinStreet information
QuinStreet is not an online service, it has leaked my info it must have accuired from buying it from other companies that I do not know who is. They have no login that can be fixed. Firefox Monitor uses your service to alert for this company, but as is it makes little sense to present it as a web service I have signed up for.
1 voteI can’t see anything in the submitted idea to suggest the description is incorrect.
-
improvement on awarness and great feature
It would be better if u also added the info about which site leaked our data, no need to give passwords...
It would encourage us to let our friends know about it if they used the same website and create a lot more interest and awareness all around.
I know this data(which site leaked it) might be hard to get and might be rarely available .You might know only few of thosee.But still ,a start in this direction might be lovely and show to other people that u dont know where the leak came from...they might help u provide the…1 voteHIBP already tells you which site leaked the data, it appears immediately after performing a search.
-
1 vote
HIBP is not intended to be a personal triage tool, rather a historical reflection of data breachs
-
Check Pastir.com for pastes
Mine was there but your site didnt find it
1 voteThat site doesn’t look like a paste site.
-
Investigate this: Dear Alumni & Friends, Report of a Data Security Incident I am writing to notify you of a data security incident that ha
Dear Alumni & Friends,
Report of a Data Security Incident
I am writing to notify you of a data security incident that has affected one of the University’s third party service providers, Blackbaud, which provides cloud computing software used for processing some of your personal data.
We recognise that this is unsettling news and we sincerely apologise that this has happened, but rest assured that Blackbaud have taken steps to mitigate this incident and any risks to your information. The University is following up with internal investigations and remedial actions of its own. However, we advise that you be vigilant…
1 voteThis is not a feature suggestion, it’s a breach disclosure notice related to the Blackbaud incident.
-
Xploder forum breach
Hey,
when googling one of my email addresses I found three similar dumps from xploder forums. This is not showing up when I search for my email here.
How can I send you a link to the dumps, post it just here?1 voteNot a feature idea.
-
ACLU was breached thru (https://www.blackbaud.com/securityincident). The url is the report site of the ransomware data breach.
07/25/2020
ACLU was breached thru (https://www.blackbaud.com/securityincident). The url is the report site of the ransomware data breach.1 votePlease keep User Voice focused on new ideas.
-
Confirmation e-mail before displaying pwned data
Hi Troy
Could you please implement a security feature that would require the email address owner to validate their email details before supplying the complementing pwned report.
This simple feature would make it harder for a malicious actor to identify what security breach data to search when looking for additional personal details that complement a user's email address.
Please note that the above scenario assumes that a malicious actor can acquire a copy of the data that is highlighted in pwned report.
1 voteThere are many, many very good reasons why that would be infeasible: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/
-
Partial matches
I am being notified for breaches that partially match my email. Today I was notified that there was a leak (for example) "joe@live.com". When in fact notmyemail_joe@live.com was leaked.
1 votePlease keep User Voice focused on feature suggestions.
-
Define the password length that can be hacked.
IT people at work have told us 15 characters is the max. Is that true? If someone used a 21 character password, what hackers capture the entire 21 character password?
1 voteThis is not a feature suggestion
-
Has Mega been pwned? I received an email from support@mega.nz on 27 June 2020 (extract below)? I had used a strong and unique password.
YOUR MEGA ACCOUNT HAS BEEN LOCKED FOR YOUR SAFETY; WE SUSPECT THAT YOU ARE USING THE SAME PASSWORD FOR YOUR MEGA ACCOUNT AS FOR OTHER SERVICES, AND THAT AT LEAST ONE OF THESE OTHER SERVICES HAS SUFFERED A DATA BREACH.
While MEGA remains secure, many big players have suffered a data breach (e.g. yahoo.com, dropbox.com, linkedin.com, adobe.com, myspace.com, tumblr.com, last.fm, snapchat.com, ashleymadison.com - check haveibeenpwned.com/PwnedWebsites for details), exposing millions of users who have used the same password on multiple services to credential stuffers (https://en.wikipedia.org/wiki/Credential_stuffing). Your password leaked and is now being used by bad actors to log into…
1 votePlease keep User Voice focused on feature suggestions
-
1 vote
All email address numbers represented on HIBP are the number of unique addresses parsed out via regex from the data set I was provided with. If HIBP represents 263k, then that’s how many addresses were in the data.
-
Update with the Zoom data breach
Add the people whose account details were made available after using Zoom
1 voteClosing as “declined” given no evidence of a Zoom data breach nor nothing in the press.
-
able to search breached apps
if i want to install an app and i want to see if that app or website is compromised i don't want to install it.so make a searchable page for breached apps and websites
1 voteThat already exists here: https://haveibeenpwned.com/PwnedWebsites
-
How to opt-in again after opting-out? Please read :)
I have opt-out by removing my email addr from public search.
I thought by using an API key to search for my own email, I am able to retrieve my own breaches, but it was a 404.
How do I opt-in again or at least allow email address owners to search for their own breaches?
I think the language is not very clear on the opt-out page, thus leading to me buying the API key for nothing. I wasted $3.50
It says "You can still search your own address using the notification service that ensures you control the address before…
1 voteUserVoice is for suggesting new ideas so I’m marking this as “declined”.
Your address will only still be searchable by yourself if you choose the first option that simply removes it from public visibility. If you choose either the 2nd or 3rd option, the data is permanently deleted and no longer searchable by any means.
- Don't see your idea?