Integration with haveibeenpwned (HIBP)

[Twiglet1022]

One of the downsides I've realised of using an email forwarding service is that if you want to sign up for notifications on HIBP you will need to sign each alias up individually. It would be a nice feature if every alias you create could be automatically signed up to it using the HIBP API, much like how Firefox Monitor lets you monitor multiple email addresses at once for involvement in any breaches.

I would prefer not to clutter up my Firefox Monitor with all these aliases, but more importantly it would also be easier to see if you've forgotten to sign any aliases up.

Admittedly though, by using a distinct alias for each website, a different password for every website, and limiting the personal information you give out to each website, it matters a lot less if one of those websites is breached. But I still think it would be a nice feature for added peace of mind and also to see who it was that let your data get into the wrong hands.

[willbrowningme]

Sorry for the late reply, I didn't get notified about this issue!

I agree that would be a great feature.

The only thing I'm not sure on is the best way to implement something like this.

Looking at the API docs - https://haveibeenpwned.com/API/v3 it appears requests to check breaches/pastes on email accounts are limited to one every 1.5 seconds.

So if say 50,000 aliases needed checking daily on AnonAddy then this would take 75,000 seconds (just over 20 hours).

Does anyone know if there would be a better way to do this? For example checking an entire domain in one go instead?

[stefanschramek]

What do think about letting the users set their own API key for the integration? Otherwise you would need to buy the subscriptions for this and the limits would not be that relevant this way!

[willbrowningme]

@stefanschramek That's an interesting suggestion, it would be good if there was an API for the https://haveibeenpwned.com/DomainSearch that way I could do entire domains at a time.

[frankTurtle]

I honestly don't think having this integration is needed. The entire point of having this anon addy service is to not care if your single address is compromised. If so, gen a new one and move on with your day. HIBP is useful when you continuously use a single address and therefore have a single point of failure for all your logins.

It's one of the use-cases as to why I use this service.

My thoughts anyway.

[Coderdude112]

I totally see your point. I just feel like if we could get integration with HIBP we could setup automatic actions such as disabling the email address, now that it's been leaked. I still feel like integration with HIBP would be nice and helpful

[Coo-ops]

just feel like if we could get integration with HIBP we could setup automatic actions such as disabling the email address

You still need to intervene to make sure your emails actually go somewhere before disabling the alias.

FWIW - HIBP can do entire domains. So AnonAddy would only need query HIBP for the unique user domain, or the users custom domain.

Doesn't help those using non-personal shared Anonaddy domains though.

It is the responsibility of a breached company to inform their customers though. So maybe its not that necessary.

[Coderdude112]

You still need to intervene to make sure your emails actually go somewhere before disabling the alias.

Yeah totally see your point, the disabling the alias was an example. Currently we have the opportunity to set custom rules which is pretty nice. So my ideal move would be to be able to setup a custom rule that allows an email sent to a leaked alias to have something like the subject changed and then my actual email can handle it with rules from there.

It is the responsibility of a breached company to inform their customers though.

My person (non aliased) email shows like 10+ leaks on HIBP and I can only remember like 2 ever emailing me. I can be the company's responsibility but in my experience most dont do crap