General
219 results found
-
Drop support for weak cipher suites
The Qualys SSL Server Test shows that haveibeenpwned.com supports weak cipher suites for TLS 1.2. Please drop support for these to make haveibeenpwned.com even more secure.
https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com1 voteTLS termination is done at Cloudflare and this is not a configurable attribute. It poses a minor risk hence the A+ SSL Labs rating HIBP receives.
-
Domain search
I own several domains and I would like to check any email adress with that domain.
Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk3 votesThis read like a personal request for verification with a non-standard alias. HIBP already provides a mechanism for domain verification using standard administrator email addresses.
-
A search for xyz@gmail.com and xyz@googlemail.com should return the same
Since user@gmail.com is the same address as user@googlemail.com the returned data should also be the same, currently you'd have to enter both addresses.
Some users might not even know about this.0 votesThis is akin to what’s already been proposed in this suggestion: https://haveibeenpwned.uservoice.com/admin/v3/suggestions/6774229/
Namely that there are multiple versions of an address that all go to the same mailbox. It’d be great if you could leave that comment over on that idea and I’ll close this one out.
-
Humio Pawned
Received this mail:
Dear Humio user,On Monday, November 4th, we became aware that an authenticated user of cloud.humio.com could use an API call to retrieve a full list of cloud.humio.com users, including names and email addresses. No other information was exposed.
You are receiving this email because your name and email could have been exposed.
We only know of a single incident where someone unintentionally accessed this information. They immediately reported this to us (thank you!). However, we can’t definitively identify whether any other users accessed and stored this data. If you retrieved any user names or email addresses,…
3 votesPlease keep User Voice for suggested features. If you have access to a data breach you’d like to submit, get in contact with me here: https://www.troyhunt.com/contact/
-
Don't use Gravitar
On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.
11 votesLooks like this is an issue with UserVoice, not HIBP.
-
Provide Delta files between versions of the Password DB for offline mirror updates
for offline mirrors it is important to be able to stay up to date - dropping the index and whole db only to reimport all 550M entries is a long time - for local offline copies the # of breaches may not be important but the new hashes are - can you provide delta files of the newly added SHA1s only for easier updates?
Love using the service btw!
would also keep your bandwith lower for people only needing the new stuff by downloading smaller files
3 votesDeltas would still be extremely large due to the prevalence counts on so many of the passwords changing. Best bet is to either download the new version or if that becomes inconvenient, hit the k-anonymity API.
-
Question: Does HIBP check user ids as well as email address?
Some websites use userids instead of email addresses. Are userids checked the same as email addresses?
1 voteNo.
-
HOSTINGER.COM HAD A DATA BREACH
I’m not lying, I got an email from them. Here is the blog post about it:
https://www.hostinger.com/blog/security-incident-what-you-need-to-know/3 votesThis UserVoice is for feature suggestions. Please contact me here if you have data to load: https://www.troyhunt.com/contact/
-
Normalize all searches to lower case
I sometimes capitalize portions of my email address.
After checking the same email address twice - one time all lower case and another using some upper case - I got different results!1 voteAll email address searches are not case sensitive. If you’ve found an exception, please contact me privately with the address in question: https://www.troyhunt.com/contact/
-
api call
Hi i want to ask about API,
i try to call the API via $.ajax and send the hibp-api-key by header, i checked the hibp-api-key at RequestHeader and its correct
and i get this message in the console
readyState":0,"status":0,"statusText":"NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to loadcan you help me?
1 voteThis User Voice is for feature suggestions. If you’re trouble shooting your implementation, I suggest you try Stack Overflow.
-
Version Pwned Password API
Can you version the "Pwned Passwords" API v2 to reduce the confusion with https://haveibeenpwned.com/API/v3#APIVersion please?
Can the "Pwned Passwords" API endpoint also specify which release of https://haveibeenpwned.com/Passwords is used within its URL?
3 votesAt this stage there’s no plan to version the Pwned Passwords API an it’ll continue to run independently to the APIs for searching breaches.
See the “last-modified” response header on the API if you’re looking to identify when the data is current as of.
-
Domain Search Email Validation Not Working
I'm not receiving emails while attempting to validate my ownership of a domain. We're using Office 365 and the email doesn't appear to be getting caught by the spam or phishing filters.
3 votesThis site is used for feature requests, not support. If you’re not receiving emails it’ll be because your mail server is blocking them.
-
Can I have my account show up normally- like no breaches found, since I opted out accidentally
Can I have my account show up normally- like no breaches found, since I opted out accidentally ?
I am not sure where to post this but I want it like that
1 voteAt this stage there is no option to un-opt-out. Furthermore, depending on how you opted-out your data may have been permanently deleted from the online system anyway.
-
Stop using google analytics for logging what's entered in the forms (when searching for a password or an email) - that's a privacy violation
Just stop using it!
1 voteGoogle Analytics does not log data entered into forms on HIBP.
-
Fix your SMTP server records in DNS (reverse lookup not working).
Fix your SMTP server: the SMTP server you are using to verify domains does not have a reverse lookup address, so emails are either rejected or marked as spam by any server that is well configured.
4 votesI’m closing this out following a discussion with the last commenter. This was due to the recipient mail server bouncing emails. For anyone else that stumbles across this, if you reject email from HIBP then you can’t get email from HIBP! The outbound address is noreply@haveibeenpwned.com
-
consider social security numbers?
What potential is there to provide data on SSN that have been exposed in a breach? This seems much more borderline dangerous, but curious about of you've given any thought and the problems / possibilities you see.
3 votesAmerican social security numbers are considered sensitive personally identifiable information and I don’t intend to store them in HIBP.
-
Any suggestions as to anything that can be done to fix any problems associated with these list.
Would like to see some suggestions as to how to repair/improv being victims of the instances you unveil.
1 voteAlready implemented.
-
Fix multi-domain search results
Apparently, multi-domain search result for breached email account sets are broken. Maybe only for large result sets?
I did a multi-domain search after the avectis breach notification with over 10.000 of our company and customer emails affected. However, the "Breached email accounts" tab in the excel format was empty. The HTML did not load (result set to big) and the JSON also only included "{"BreachSearchResults":null, ..."
Can you check this please?17 votesMulti-domain searches were dropped a while back, searches now need to be done on a per domain basis. But we're just about to launch an API if you'd like to automate it, vote here if you'd like to be notified when it's ready: https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/19170856-add-domain-search-capability-to-the-api-functions
-
Insert Breach's "Permalink"
Can you please insert the breach's "Permalink" returned by the API?
For example, include "Permalink" : "https://haveibeenpwned.com/PwnedWebsites#Adobe" similar to the existing key/value pair of "LogoPath".
3 votesYou can already derive this from the breach name: https://haveibeenpwned.com/PwnedWebsites#{breach name}
-
small 'best of' download files instead of full 10 gb...
in one of the recent blogs from you or cloudflare, it is talked that basically it would be best to deny all passwords with a count > 100 and warn on password > 20. would it be possible to create download files just for these (i think) like 10 mil records (all > 20)? that would make it easier to create a local repository database with a workable download size and working count. ... and ignoring the rare passwords which make up the largest bucket of your collection.
1 voteYou can easily do this yourself by pulling down the entire data set then just extracting all records within the threshold you’ve chosen. I don’t want to publish multiple versions of the same data at different thresholds, this is a very subjective decision and it can easily be extracted from the existing data,
- Don't see your idea?