Hacker News new | ask | show | jobs
by notamerican 2755 days ago
> Public search for sources of other people's breached personal data via monitor.firefox.com

That page is powered by haveibeenpwned.com. Mozilla just made a fantastic security tool available to user who don't know about Troy's site.

> you can enter anyone's email and see results

This data is all very easily available online anyway. It's just aggregating leaks that already public, and neither HIBP or the Mozilla page provide the _actual_ personal info that was leaked.

> Someone just lost the security vs usability debate there I guess.

That's the thing though; this _is_ a valid security tool. And a powerful and valuable one at that. HIBP has been used for years by thousands of users to secure their accounts after data breaches.
1 comments
heroprotagonist 2755 days ago
In other words, they have publicized the existing tool to make it available to a broader audience without adding anything on top to improve its security. They're both in the wrong on this.

The argument of "Others are being irresponsible, so we should be irresponsible as well" does not stand up very well.

The only valid use case for providing this information is for when a user no longer has access to the email address in question.

In this case, they should still require it to be sent via email, and they should still send a notification to the email address being requested which includes details about the request like the IP it is made from and the email it would forward to, perhaps with a delay-and-prevent option so that someone who still owns the email can prevent the exfiltration by responding to the notice quickly.

Otherwise, this enables anyone to solicit unauthorized PII data about basically anyone else from Mozilla.

Even HIBP somewhat acknowledge the potential damage this can do, from the way they censor some results like the Ashley Madison data breach. They've made the decision that some personal information linked to a person's email address is more worthy of protection than other bits of personal information, which really shouldn't be up to them.

They get away with it because of weak data protection laws and the fact that this caters to individual users who are more likely to opt themselves out if they become aware of it than to file a lawsuit or otherwise apply pressure to make them change.

link