General

  1. Update with the Zoom data breach

    Add the people whose account details were made available after using Zoom

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  2. Wildcard support

    Similar to the requests for 'wildcard support for spamgourmet' and 'searches using the "+" syntax' Fastmail (and I suspect other providers) offer the facility to send email to <anything>@<myemail>.fastmail.com - where the "normal" email address is myemail@fastmail.com

    I use this extensively to register unique email addresses for each site (so if spam comes in i can see where it was leaked from) but in many cases i've no record of which sites i've used addresses on.

    as such it would be very useful to check for *@<myemail>.<providerdomain.com>

    to prevent abuse e.g. someone trying to register *@hotmail.com then send a verification…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    The big difference with the plus aliasing syntax is that it’s a very broadly adopted pattern that whilst not a spec (and frankly, that’s a big part of why this feature doesn’t exist), is broadly supported. I don’t want to get into a cycle where one specific mail provider (and a smaller one at that) implements something specific to them and HIBP needs to implement that pattern.

  3. An ability to remove the alarm

    Seen the breach, I have changed all my passwords some of them several times over. This name and password list are several years out of date. So old as to be useless. The alarms are now false.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. 1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Feature that allows you to search for all the sites your email has been used to create a log in for

    I would like to know which websites I have created a username on with my email address so that I can access them and manage the passwords for them. at this time, I can only manage the ones I REMEMBER using my email to sign up with, but I know there are probably hundreds out there that I have created login credentials for because just about every site or out there requires you to create an account in order to use it.

    I want to protect those accounts BEFORE I know a breach has occurred so there are no surprises.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. question here... are non-user data not exposed?

    what I want to ask is that... when those mailicious people gain access to a database, do they just go for emails and passwords? I am sure there are other data such as creation dates, private messages, ssn, interests and more, are these exposed as well? do the mailicious people strip out these info before posting online?

    why your site and other similar sites not have data classes for these other info?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. GDPR complience

    In order to be GDPR compliant when using the service, we need assurance that the e-mail address we provide is not to be stored or passed over to a third party (and some other requirements). Can you sign a document that states that, so we have someting to show during audits?

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Fix the opt-out.

    I was able to opt out public searches on 1 of 2 accounts. The second one I went through the steps and it now tells me I have opted out, however I am still able to look up the second email.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. How to opt-in again after opting-out? Please read :)

    I have opt-out by removing my email addr from public search.

    I thought by using an API key to search for my own email, I am able to retrieve my own breaches, but it was a 404.

    How do I opt-in again or at least allow email address owners to search for their own breaches?

    I think the language is not very clear on the opt-out page, thus leading to me buying the API key for nothing. I wasted $3.50

    It says "You can still search your own address using the notification service that ensures you control the address before…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    UserVoice is for suggesting new ideas so I’m marking this as “declined”.

    Your address will only still be searchable by yourself if you choose the first option that simply removes it from public visibility. If you choose either the 2nd or 3rd option, the data is permanently deleted and no longer searchable by any means.

  11. 1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. 3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. 1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. search by hash to be EU GDPA laws compliant

    As a security company I would like to be able to search in your database on behalf of my clients for their employees emailadresses. The current laws in EU prohibit this unless HIBP signs a DPA - contract with my company OR we do not provide you with the emaildadress but just a hash. My company would even pay money for this.
    I know you already declined this a couple of times but so far nobody mentioned the aspect of law compliancy.
    THX for your work

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Provide the count of breached accounts on a domain

    As part of the API, provide the count of breached accounts on a domain in a time window. I realise that for the domain search, users need to prove ownership of the domain before receiving the list of breached emails, which certainly makes sense. If the count of breached accounts on a domain isn't deemed too sensitive to disclose, this would be useful in third party risk monitoring applications which could then display "50 accounts with emails on your domain @domain.com have been breached in the previous 3 years" for example.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →

    I’m declining this one simply for the reason you’ve already highlighted: it’s too sensitive. For example, you could restrict the range to the time of the Ashley Madison data breach, feed in the domain of a small company and start to draw some pretty sensitive conclusions. As it stands, domain owners can already derive this info so there’s way more risk than upside to this one.

  16. Use certificates that specify OCSP Must-Staple

    The Qualys SSL Server Test shows that haveibeenpwned.com uses certificates that do not specify OCSP Must-Staple. When you replace these certificates near their expiry date, please get certificates that specify OCSP Must-Staple. Scott Helme has a good article on why OCSP Must-Staple is important.

    https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com
    https://scotthelme.co.uk/ocsp-must-staple/

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Drop support for weak cipher suites

    The Qualys SSL Server Test shows that haveibeenpwned.com supports weak cipher suites for TLS 1.2. Please drop support for these to make haveibeenpwned.com even more secure.
    https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenpwned.com

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Domain search

    I own several domains and I would like to check any email adress with that domain.
    Simply verify by sending confirmation request on a random email address with that domain e.g. h1ytsh4t uhh674@larshjorth.dk

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Humio Pawned

    Received this mail:
    Dear Humio user,

    On Monday, November 4th, we became aware that an authenticated user of cloud.humio.com could use an API call to retrieve a full list of cloud.humio.com users, including names and email addresses. No other information was exposed.

    You are receiving this email because your name and email could have been exposed.

    We only know of a single incident where someone unintentionally accessed this information. They immediately reported this to us (thank you!). However, we can’t definitively identify whether any other users accessed and stored this data. If you retrieved any user names or email addresses,…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Don't use Gravitar

    On a website that helps people mitigate the impact of losing private data you prevent use of avatars without signing up to an arbitrary third party with whom users may have no previous relationship and certainly no reason to trust. This feels strangely at odds with the core ethos of your website.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

General

Categories

Feedback and Knowledge Base