Mastodon

Have you been pwned? Now you can be automatically told when you are!

Just under three weeks ago now, I launched Have I been pwned? which could tell you if you owned one of 154 million email addresses that had been caught up in recent data breaches. Subsequently, the site turned out to be wildly popular and as with such things, a lot of good ideas came up in terms of features people would like to see.

Without doubt, the number one request was for notifications. Searching for accounts that may have been pwned up to the current date is one thing, but the real value is in being automatically notified when you get pwned in the future. So I built it – oh and I’ve made it a free service.

Signing up for notifications

Let me talk you through it: First of all, jump over to haveibeenpwned.com and search for your email address. You can always just hit the “Notify me” link in the nav but I suspect most people will want to kick off by looking at whether they’ve already been compromised.

Compromised address search with notification link

This is pretty much business as usual, except now you’ve got a “Notify me if my address gets pwned in the future” hyperlink just above the social media icons. Click that guy and you’ll get a little window:

Entering email address and CAPTCHA

The email address is pre-populated when you go in via this route (it’s not if you follow the link in the nav which is accessible from any page on the site), and there’s a CAPTCHA to solve. I’m sorry. The problem is that I need to send a verification email to make sure it’s the legitimate owner who’s asking for notifications. If I don’t do this then there’s the risk of random people being signed up (not good for spam reputation) and the CAPTCHA ensures the process can’t be automated.

Moving on, you can add additional addresses (your own or those of other people who are happy to join the service) and of course you can share via social media:

Notification subscription complete

As promised, this delivers an email which then requests verification:

Verification email

Now it’s just a matter of verifying the email address:

After having verified the email address

What this now means is that if the address appears in any future breaches loaded into HIBP, you’ll get an immediate email notification that looks something like this:

Notification of pwned email address

The “read about here” link takes you back to the site where there’s additional info on what happened in the breach and of course you can always pull the pin on it at any stage and unsubscribe. That’s it – simple!

Still simple, still free

I wanted to stick with the original ethos of the site and keep everything as simple as I could possibly conceive of. For example, there’s no concept of creating an account in the traditional sense – I don’t want to handle peoples’ passwords nor make it harder for them in the first place by requiring them. It’s a shame I’ve had to add the CAPTCHA but abuse of a service that sends email in this way is not something I can really take a risk on.

As for the price, my view is that whilst it’s costing me less to run the site than what I spend on coffee, there’s no need to charge money for it. Now that may be saying something about my caffeine habit, but it may also be saying that clever use of services like Windows Azure can be done on a shoestring, even for well-trafficked sites.

Future roadmap

The next feature I’ve already begun working on is another frequently-requested one: domain-wide notifications. Many people use a single domain with multiple accounts for different services and by the same token, many organisations want to know which of their colleagues have been impacted in a data breach. They’re both very good use cases for pulling back a complete data set for a domain.

Of course this is also a little tricker in other ways – you don’t want just anyone pulling large volumes of data for a particular company. The verification process to ensure the right people are getting the right data and that it’s being done in a user-friendly, efficient way is what I’m working through now. Stay tuned, it should be here soon.

‘Tis the season to share

The success of this site is hugely dependent on its popularity; if it’s useful to people and there’s a real desire to use it, I’ll keeping supporting it and extending the features to make it as useful as possible.

Pushing this out on Xmas eve down here got me thinking about the opportunity to share it more broadly so if you find it useful, do this: drop in the emails of the family and friends you’ll be spending the holidays with and get them to hit that verification link in the email when it lands on their smart phone or shiny new tablet under the Xmas tree. Let me know it’s useful by using it and I’ll keep adding data and building out features.

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals