52 results found
Add an option to list all the accounts made and available from an email.1 vote
The service already returned all breached accounts found for an email address.
As we are not awash in money it would be appreciated if there was a Higher Ed discount of some sort. As students come and go they still stay on the list as pwned users even if they are no longer enrolled. Like you, we are a proponent of research and public service.2 votes
Hi Will, EDU discounts are already in place, check out this KB: https://support.haveibeenpwned.com/hc/en-au/articles/7619887413135-Do-you-provide-discounts-based-on-the-nature-of-the-organisation-
I have a small private domain used just for my family, which has 5 mailboxes and at most a dozen email adresses including role accounts like security@ or postmaster@ - yet HIBP tells me I need to sign up for Layer 3 subscription as I apparently have 128 breached accounts.
Clearly there is something wrong, but there's no way for me to even see what's wrong because I don't have a subscription. There must be some error in the HIBP database, but there's no way for me to check or even to ask someone to check it...1 vote
Assuming that is excluding spam lists, that shouldn’t be possible unless the domain name is something that regularly appears as part of another string and has been parsed out incorrectly. Log a ticket with the details and I’ll look into it: https://support.haveibeenpwned.com/hc/en-au
It looks like some services have been put behind a paywall. Which in truth I can understand. We offer services to small budget local governments in Texas - this information is helpful to secure public workers and their county emails.1 vote
We have an existing model for non-profits, please see the KB here: https://support.haveibeenpwned.com/hc/en-au/articles/7619887413135-Do-you-provide-discounts-based-on-the-nature-of-the-organisation-
Given the exodus of accounts from Twitter to Mastodon, as well as its close relationship to the open-source and information security communities, I think you should create a Mastodon account and have it basically, at the very least, reflect what your Twitter account is saying - which is relatively easy to do via tools such as this: https://moa.party/3 votes
Done! I'd previously tried to reach out to @firstname.lastname@example.org and ask them to hand over the account but got no response. I've just set up @email@example.com instead and verified it as the owner of the domain. I'm not sure how I'll actually use it yet (only a very tiny portion of the audience is there), but at least it now has a presence.
Thank you for your service.
I received a notice from you that I had been pawned. After receiving your confirmation that I -WAS- hacked, I then did a web search on the QuestionPro hacking. It appears they are declining to confirm the incident. I can prove that it occurred.
I assign a different email to EVERY person I exchange emails with, especially vendors. The email address you indicated was hacked was assigned to ONLY ONE MAJOR US POWER SUPPLIER. It is 100% clear to me that my supplier gave my email address to QuestionPro which was subsequently hacked.1 vote
I've completed verifying this to the point where I believe it's legitimate. Full thread here: https://twitter.com/troyhunt/status/1555696116351377410
I noticed you stopped updating the download for breached passwords. I would like to continue to have an up to date data set to prevent users form choosing breached passwords but I will not use the API.
I don't want the availability of something like registering for an account to be tied to an external service, nor do I want to slow the process down by waiting on an external API.I just want an up to date list to check locally and decide to accept or reject the password my user is trying to choose.3 votes
This is actually already done, I'll be blogging about it in the coming week: https://www.nuget.org/packages/haveibeenpwned-downloader/
On the donation page the Bitcoin Cash donation address is displayed in the old legacy format (1DQZe241VSm5VjY1YeAyiWQR5VFH3heCtJ).
Most wallets (probably 100% of all user facing once) supports the CashAddress format (bitcoincash:qzypv5j3ce6g57x9te25lgx0z6af8ehz2c8tudzpaf in this case) and using the legacy format for bitcoin cash is discouraged due to a risk of sending to an invalid address.2 votes
Thanks for the tip, it’s done: https://haveibeenpwned.com/Donate
I reiceived an email that I'm in the Epik hack, but I have never had an account there so it seems something is off.
I reiceived an email that I'm in the Epik hack, but I have never had an account there so it seems something is off with hibp?1 vote
The only thing that is “off” is Epik scraping and storing WHOIS data: https://twitter.com/troyhunt/status/1439705567400894464?s=21
On page https://haveibeenpwned.com/PwnedWebsites the link on the sentence "These are accessible programmatically via the HIBP API" still redirects to the deprecated v2.1 vote
Hey, good find! Thanks very much, fixed in source, I’ll push it out with the next release.
This would help us alot as a company. Doing monthly bill mapping with a corporate creditcard is not working for us :-)
This is coming soon! Announcement and details here: https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/385 votes
Right now there is a 1.5-second delay time b/w request, which is a long delay wait-time for us.
Currently, we have to thread multiple API keys together to decrease the rate limit, though we'd rather only have to use one and pay a bit extra.
It would be very helpful if we could pay extra to have a lower rate limit (e.g. think tiers for rate limits maybe?)
This is coming soon! Announcement and details here: https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/119 votes
It would be helpful if we could directly link to an account's breaches info.
This would make it easier to integrate HIBP into other products without having to recreate the whole pwned information webpage.1 vote
It already does this: https://firstname.lastname@example.org
For unit testing purposes, to be able to be certain that the data from HIBP is parsed and stored in the application correctly.1 vote
Great idea! I already had all the accounts set up, I’d just never documented them. That’s now up here: https://haveibeenpwned.com/API/v3#TestAccounts
The current API allows the list of pwned accounts (email addresses and usernames) to be quickly searched via a RESTful service.
Can you add the phone number search (based on your portal search for Facebook breach)?1 vote
It already does this.
to make a list of pwned apps or websites from old to new so that it wouldn't be hard for us to scroll down-scroll own to the pwned things.
make a button for List Of Pwned Apps/Websites, then add summary of each Pwned A/W.1 vote
This already exists: https://haveibeenpwned.com/PwnedWebsites
And it could work that if there are multiple accounts using the same username then you for example can choose the one that's yours1 vote
HIBP already has this construct: https://www.troyhunt.com/searching-snapchat-data-breach-with/
But it’s very rarely used as usernames are difficult to parse out, not unique to an individual and almost always accompany email addresses which can more reliably be searched.
I have my own domain with a catch-all service. Every website I register get's a different mail address which makes it easier to block addresses that receive spam (after a leak) and to check if the sender is really the sender. Checking each mail address individually is time consuming, can I somehow check all mailaddresses ending with my specific domain?1 vote
Try the domain search link on the website.
Curious about your thoughts on using some sort of automation / aggregation / ML to help classify what constitutes a "sensitive" breach, and also what the most up-to-date state of "sensitive breach" classification logic is.
Would also be great to have an easy-to-find and up-to-date list of what those sites are.1 vote
Not sure how prevalent very popular passwords are, so Id suggest if possible, it would be a real nice feature to see the worst offenders in order of most reused.
For instance "password", is its millions of instances actually #1 or is something else more prevalent?
Seeing the worst of the worst in terms of commonality/instances of use would be a nice tool for average users to gauge just exactly how bad that "Password1!" workaround really is.1 vote
Try this list from the NCSC: https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere
- Don't see your idea?