Firefox Teams Up with Have I Been Pwned

Written by

Security researcher Troy Hunt is teaming up with Mozilla to offer his popular Have I Been Pwned (HIBP) service to Firefox users.

Over the next few months Mozilla will be trialling a new Firefox Monitor tool designed to help users check if they’ve been breached or not by searching the vast HIBP database. It now contains over three billion unique email addresses, according to Hunt.

“This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream,” he explained.

In order to boost security and privacy, the two parties are working to ensure any breached data shared or accessed is done so anonymously, by using new “hash range query” API endpoints via Cloudflare’s k-Anonymity technique.

“Hash range queries add k-Anonymity to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data,” explained Mozilla privacy engineer, Luke Crouch.

“When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first six characters to the HIBP API. The API responds with many suffixes and the list of breaches that include the full value. When Firefox Monitor receives this response, it loops thru the objects to find which (if any) prefix and breached account HashSuffix equals the user-submitted hash value.”

What’s more, HIBP doesn’t share all of its hashes, allowing Firefox users to maintain privacy and protecting breached users from exposure, said Crouch.

The service will be trialled with around 250,000 users located mainly in the US.

Hunt has also agreed a new deal with password management firm IPassword which will integrate the HIBP service into the Watchtower feature of the product’s web version, allowing users to see if their passwords have been exposed in a previous breach.

What’s hot on Infosecurity Magazine?