General

  1. Clarify "<p>" within the "Title" Field of "Regler" Paste

    The relevant JSON returned from https://haveibeenpwned.com/api/v3/pasteaccount/test@example.com is quoted below:

    {
        "Date": null,
        "EmailCount": 627,
        "Id": "https://underground-revolution.eu/hacked/networkgaming_2013_04_16.sql",
        "Source": "AdHocUrl",
        "Title": "Regler.<p>"
    },
    

    Can you please clarify the inclusion of the "<p>" from "Title" field or if not needed please remove "<p>" from the "Title" field?

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  2. Add the recent 500K password breach for Fortinet VPNs

    With the recent revelation of the 500K+ passwords that were scraped from Fortinet VPNs all over the world, it would be of incredible value to be able to check if several deployments were caught up in the breach (by checking a few usernames). Thanks for the great work!

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add a 'AddedDate' field for pastes

    With the current API, for the paste model it is mentioned that the paste date is only included if it is known, and that this value may be null.

    Can you please consider adding a 'date reported' field to the paste model, which would simply be the timestamp of when a given breach is reported by HIBP. That would give a usable reference point as to the possible age / currency of the paste, in the event that the regular date value isn't known.

    This would also be consistent with the breach model in the API, that differentiates between 'BreachDate'…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. fix API v3 rate limiting which claims to be per API key

    The API v3 rate limiting documentation (https://haveibeenpwned.com/API/v3#RateLimiting) initially claims that the API is rate-limited on a per-API key basis. Reading the fine print, it indicates that the rate limit is actually applied to the IP address. This disconnect leads to immense challenges in working with the API at scale. For example, I bought 7 API key licenses today so that I could work through a very large data set more quickly. However, all of my API keys are working from the same source IP address. So every time your API gets busy, you start blocking me by my…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    The API is rate limited per key at the Azure API Management level. There are no rate limits per IP address. Usually when I hear a report like this, it’s because someone is inadvertently making too many requests so I’d normally suggest changing the API key (you can do that on the page you registered on), then testing the new key totally independently of your code, for example in Postman.

    Closing this “idea” as it’s not an idea, contact me directly if you still have problems: https://www.troyhunt.com/contact/

  5. Add credentials API (to check against strong hashes)

    HIBP unlike other services like enzoic does not yet provide a way to find matches if the breach data contains medium to strong protected passwords.

    To make that passwords searchable without cracking them the API needs to accept the username as input and returns a list of hashes together with meta information e.g. salt and hash algorithm. The client can then for all results use the provided hash algorithm for the password and compare it with the hash from the API result.

    security notes:
    1. you may want to add a second hash algorithm on top to avoid storing passwords…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →

    The protection level of the password is not an area I want to get into as it leads to (often incorrect) assumptions about whether a breached password is suitable for use. There’s also no need to increase the strength of the hashing algorithm as it’s only designed to obfuscate the PII that appears in some records.

  6. Document IP addresses and stability for API

    Using your API from our environment requires that we update our network egress rules to allow us to reach you.

    I can easily see what IP addresses you're using now, but I can't tell how likely these are to change.

    Having this documented would help us make better decisions about how - or whether - to use your API.

    tia

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add doxbin.org paste

    I search on doxbin.org some email accounts and then i search on haveibeenpwned.org, but it isn't find the paste.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add more phone number and email breach

    Please add more email and phone number breach. I search on "keepersecurity" and "nortonlifelock email and phone number dark web monitoring" say to me that there is more breach.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. There was an attack on the website https://www.yemeksepeti.com

    • Name-surname, date of birth
    • Telephone numbers registered with Yemeksepeti
    • E-mail registered with Yemeksepeti
    • Address information registered with Yemeksepeti
    • Masked login passwords with SHA-256 algorithm that are not clearly visible it was stolen. You must add it to this site.
    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. improvements to domain search for bigger companies

    At thousands of employees, the usability of the domain search falls off a cliff. Here's some of the problems I'm seeing and what would improve my usecase significantly.

    problems:
    1) email and personal data leaks are a spam/phish/identity problem: password leaks are a direct attack liability
    2) company has been around for a decade, thousands of employees, list of leaks and affected users by any of the leaks is long and unwieldy
    3) constantly investigating users that are no longer active

    potential improvements:
    1) focus on password leaks as a higher level of leak than just email and/or personal data…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    This really goes beyond the purpose of HIBP and starts to get into the internal triage processes of your organisation. The intention is to provide the data as I’ve been able to obtain it then the consumer works out what to do with it; which ones are serious (it differs by org), which addresses are still relevant (definitely not something I want to track), and what actions have been taken for an individual breach. APIs exist for you to handle this in conjunction with the domain search.

  11. Create or Develop an App for this website name as app name called "Have I Been pwned?/HIBP"

    Make it easier to trace in phone if someone is trying to pwned you by opening the App, then boom you know quickly already the updates about your account.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. How to Delete reported pwnage: Good news and Bad ews

    make a deletion of these reports if you have seen it already....

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Domain user accounts

    As a consultant, I see several companies that use a Microsoft Windows server and that are currently under cyber attack. looking at the userids that they use to try to get in, I think that somewhere there must be a list of existing userids (and passwords and even PC names) that they can use to login to a domain. Would be useful to get that info in hibp. By the way, on checking the domain names in hibp, I never get a verification code sent to security@....

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Search for non decrypted passwords

    As we can download both SHA-1 and NTLM password list, I suppose this list concerns only decrypted passwords that have been re encrypted with SHA-1 and NTLM.

    So what about non decrypted passwords ?

    I can see a lot of breaches where (fortunally) only the digest has been pwned and the digest algorithm is known.

    Are there databases of encrypted passwords with their digest algorithm waiting to be decrypted ?

    If yes it could be a nice feature to test passwords against all these databases using the corresponding algorithm...

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →

    There are multiple problems with this:

    Firstly, passwords are almost never encrypted, they’re hashed. If they are encrypted then without the private key you really can’t verify the password by any means.

    Secondly, when hashed, they’re almost always salted as well so just knowing the algorithm used isn’t sufficient for a password hash provided by a user to be verified, I’d have to provide the salt used as well. That would mean storing that in a way that could be retrieved for that user which amounts to needing credential pairs which is too risky for my comfort.

    Thirdly, it’s a very niche audience that could use this, namely people technical enough to hash their own password (with the salt, if needed) and then pass it back to the service.

    In short, it’s high effort, high risk and low value given the niche nature of it.

  15. Add FalixNodes.net

    There was recently a security breach on FalixNodes, this includes all passwords to the Game Panel, which were all eventfully reset by the owner of FalixNodes.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Password List Version Diff

    Any way to publish just an NTLM and SHA-1 differential file on the next release of the password list? This would greatly help when importing the list into SQL so as not to require a full re-import of any newly published password lists.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  17. Opt out till next breach

    I saw a breach on my email, I've strengthen the security, logout services and stuff.
    I would like to opt out now. And come in a later date and see if have new breaches.

    Because this way, I can rest that my new security changes are working, instead of doesn't matter if strengthen the security or not, I still see the breach result

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Offer a service to wipe a person's breached info

    Offer a service that can wipe clean a person's exposed information that has been breached.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. 3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. md5 password check

    be able to lookup if your password exists in a breach by entering an md5 of your password rather than the actual password.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 8 9
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base