
Firefox Monitor - madhukarah
https://monitor.firefox.com/scan
======
ccleve
My email appears in six breaches. Only one of the companies I recognize. I
have never done business with the other five.

This pisses me off. Not that the data was stolen -- these things happen. It
pisses me off that my data was shared with third parties without my knowledge
or consent. And no, a paragraph buried in the basement of a privacy policy
does not constitute informed consent.

This system would be more useful if it could report how these companies got my
data. I want to know who betrayed me.

It wouldn't be a terrible thing to have privacy legislation that forces
companies that sell your data to disclose what information they sold, when,
and to whom.

~~~
sleavey
> I want to know who betrayed me.

You can run your own email server (or have a company host a private domain for
you), set up a catch-all address that only you know, then use a different
email address for every site you sign up to. That way you can find out this
sort of information.

Using this technique, I know for example that spammers obtained the address I
signed up to Stack Overflow with. The email is not shown on my profile now,
and I can't rule out that it wasn't ever shown publicly, but evidence suggests
they sold my address to spammers. I also know that spammers crawled my website
and found a blog post where I stupidly made up a random address using my
domain as part of an example for configuring junk filters (the irony is not
lost on me).

~~~
StavrosK
Fastmail supports this natively (and is awesome). You can do
service@user.yourdomain.com and it will get delivered to
user+service@yourdomain.com.

~~~
27182818284
You can use the + trick and . trick with Gmail addresses too. I think Outlook
as well supports the + trick. The only downside to this is that there are
plenty of sites that don't accept a + either knowingly or unknowingly.

~~~
jiveturkey
this isn't a good anti-spam filter though. + addressing (even the fastmail
kind) is trivial to parse and I'm 100% sure email harvesters are aware of it.

~~~
techbio
This isn’t to prevent spam, it is to identify the original leak. If the unique
email address you gave to company X is used for solicitations by company Y,
company X must have given it away.

~~~
mikedelfino
Then what?

~~~
Xylakant
I usually go for <company>@example.com where <company> is the company I’m
handing my address to. After a breach I route that address to /dev/null

~~~
bradknowles
That's trivially easy to guess -- and game.

You want something that is sufficiently random that it can't be easily guessed
or gamed, but can be quickly and easily determined on your side.

Salted cryptographic hashes might be a good place to start.

~~~
username444
Most spammers won't go through the of "gaming" it. There's no upside. There
are far easier targets to focus on than sending more mail to a single
recipient who is more sophisticated.

------
criddell
I checked my email address and it says my data was lost by verifications.io.
I've never heard of that site before and going there didn't reveal any clues.

I googled the name and found a report [1] on the breach. They lost control of
records on 2 billion email addresses.

[1]:
[https://www.forbes.com/sites/daveywinder/2019/03/10/2-billio...](https://www.forbes.com/sites/daveywinder/2019/03/10/2-billion-
unencrypted-records-leaked-in-marketing-data-breach-what-happened-and-what-to-
do-next/#366401d06b0d)

~~~
pmikesell
It sounds like this was email addresses only, and they're very shady about how
they acquired this information in the first place.

"The real question that the researchers and Troy Hunt, founder of Have I Been
Pwned?, want to know is how Verifications.io got its hands on all of this
information in the first place. The Estonian-based company has refused to
respond to questions from different news outlets and has taken down its entire
website as of March 4, 2019. " [1]

and

"Verifications.io ensures third-parties’ email marketing campaigns are being
sent out to verified accounts, and not just fake emails. " [1]

[1]: [https://www.idtheftcenter.org/763-million-records-exposed-
in...](https://www.idtheftcenter.org/763-million-records-exposed-in-
verifications-io-data-breach/)

~~~
judge2020
The premise of the company explains how they got the information. Marketing
teams at hundreds of other companies sending over their lists to the site to
see if some of their emails are fake.

------
atonse
How does this relate to HaveIBeenPwned.com? Is it a separate effort? Does it
have more data? Is it built on top of their data?

I've seen other services (like 1Password) just rely on HaveIBeenPwned because
it's pretty solid – seems like it would be nice for the industry to coalesce
around it and build these kinds of alerting features on top of it.

~~~
alien1993
When you submit your email after the breaches list there's this notice "Breach
data provided by Have I Been Pwned", so I guess it's a joint effort.

~~~
samebreath
Yes, exactly. It's on the bottom of every breach page too:

> Breach data provided by Have I Been Pwned

I love that it's a visually engaging and simple way of showing breaches. It's
going to be a lot easier to share this with family, then get them on a
password manager.

------
jmkni
Apparently MyFitnessPal had their data breached, and my email address/password
was in it.

Checking my emails, I can't see anything from them about this. Loads of the
usual marketing crap, but nothing about a breach.

Not cool!

~~~
steve_adams_86
Same, for me it was them and Apollo. I can't find anything about either of
them in my mail, but both claim to have notified their customers. That's very
suspicious. I don't delete anything... Perhaps it found its way into my spam
and got auto-deleted (entirely possible with Apollo, seems very unlikely with
MFP).

~~~
ata_aman
Also got mine leaked from FitnessPal and Apollo and them only. No idea what
Apollo is or how they got my stuff. Any idea what it is?

A link to each service's website would be awesome in the breach report on
FireFox Monitor.

~~~
mh-
Had the same. Seems Apollo is [https://www.apollo.io](https://www.apollo.io)
\- you were probably entered as a sales lead.

------
groovecoder
Disclaimer: Firefox Monitor dev here.

Note: We just released a "V2" of the site that allows you to add multiple
email addresses to monitor, and (then) to have all your breach alerts sent to
your single primary email address.

~~~
mikaelmello
Are there plans to monitor an entire custom domain?

~~~
Fogest
Just use the site where Firefox is getting their data from, they have a domain
feature:
[https://haveibeenpwned.com/DomainSearch](https://haveibeenpwned.com/DomainSearch)

------
yuchi
Mozilla and Apple, lately, are the only companies I trust my data to. Nice to
see more from both.

~~~
tomxor
I find it difficult to trust Apple for security considering their morally
bankrupt behaviour in rest of their business. They have proven their sole
principle is monetary, so I find it difficult to perceive their recent claim
to care about user security as anything beyond opportunism.

~~~
ilikehurdles
I can’t think of a big tech device company that’s any less driven by money
than apple. What makes them so unique, in your mind? In my experience I’ve had
less unwanted tracking and advertising, and better support compared to other
phone and laptop manufacturers I used to buy from.

~~~
tomxor
Not everything needs to be a "big tech company", but you are right big tech
companies are quite similar in this respect. At critical mass capitalism seems
to cause companies to lose their driving principles that made them unique -
their behaviour becomes more of a mindless ecology driven solely by money.

Now look at Mozilla, it's a non profit, look at everything it does, they have
never lost their principles. They will never reach the scale of Apple, Google
or Microsoft, and that's a good thing.

> What makes them so unique, in your mind?

Beyond the negatives that come at their scale, Apple are doing some
systematically deceitful things directly to customers that make them stand out
from other companies ([edit] talking about their attitude towards customers
with defective hardware). If they think that little of individual customers,
how could they possibly care about an individuals privacy?

~~~
mffnbs
> Now look at Mozilla, it's a non profit, look at everything it does, they
> have never lost their principles.

I take issue with this. Mozilla has a corporate arm and they're the ones in
control of Firefox marketing and development. Take for example the fact that
they were (most likely) paid to install an extension to advertise a TV show.

Apple has yet to display any ads to me on my Mac, unlike Microsoft in Windows.
I think your criticisms are well intended, but your conclusions are way off.

~~~
jamienicol
That's just for legal reasons. Profits from the Corporation are put in to the
Foundation. There are no shareholders making money.

Mozilla weren't paid for Mr Robot. Their finances are made public.

------
lux
It would be helpful to include a link to the services somewhere. I only
figured out this was for apollo.io because of a comment on HN:
[https://monitor.firefox.com/breach-
details/Apollo](https://monitor.firefox.com/breach-details/Apollo)

~~~
roryokane
I agree, it would be helpful. At least Firefox Monitor does give you a way to
find more details, by linking to
[https://www.haveibeenpwned.com/](https://www.haveibeenpwned.com/). If you
click from that page to
[https://haveibeenpwned.com/PwnedWebsites](https://haveibeenpwned.com/PwnedWebsites)
and search the page for a company name, you will find more details about it.

------
user17843
Have I been pwned prompted me to abandon my old addresses and switch to a
provider that allows trash mails and email aliases.

Originally my address was breached by Dropbox and Kickstarter.

It took me many months to switch over, as I did not have a complete list of
all services I had registered with.

So for many average people switching email adresses is often a very difficult
task, so people keep them even in light of breaches.

More important for the average user is to have a good password management
system and know whether a certain password has been hacked.

------
huehehue
There are just so many problems.

Traditional authentication methods have failed us. I'm still waiting for a
reasonable alternative, but the best we've come up with are things like 2FA
and magic links?

Companies insist on sucking as much data out of their users as possible. What
are your options? Hand over your personal information and give hackers a
reason to attack your favorite services? Create a million different phone
numbers, burner addresses, and fake personas? How exhausting.

Then there's the problem of treating data like SSNs, phone numbers, and legal
names as private. These things could be public if central authorities could do
their jobs correctly, but we've shifted the blame of e.g. "identity theft" to
the end user who ultimately has no control over this stuff.

Further, official ID/passport/etc. scans are required of so many transactions
and I _guarantee_ my slumlord does not follow good security practices so what
can I do other than sit like a duck? Monitors like this are a noble effort,
and I'll definitely use them, but it sucks that it's come to this.

------
miguelmota
If it's using the haveibeenpwned service then why does it say my email has
been found in less number of data breaches compared to the number on the
haveibeenpwned site (11 vs 14)?

~~~
groovecoder
By default we don't show:

* Sensitive Breaches * "Retired" Breaches * Spam Lists * Fabricated Breaches * non-Verified Breaches

[https://github.com/mozilla/blurts-
server/blob/master/hibp.js...](https://github.com/mozilla/blurts-
server/blob/master/hibp.js#L142-150)

------
EasyTiger_
Apollo whom I've never had any dealings with whatsoever have compromised my
details. Absolutely fucking outrageous.

~~~
tuxone
Same here, I never heard of Apollo and I have 0 emails from them in my email
account. Yet it looks like they leaked both email address and (and this sucks
a lot) phone number.

------
goda90
Looks like this doesn't include another feature of HaveIBeenPwned. Its cracked
password hash database. If you trust their JavaScript, you can type in your
passwords and see if they are on the list. If you're a little more paranoid
you can download the hashes and do your own search.

~~~
groovecoder
Disclaimer: Monitor dev here ...

Watch this space: [https://github.com/mozilla/blurts-
addon/issues/142](https://github.com/mozilla/blurts-addon/issues/142)

;)

~~~
rhamzeh
That repo is archived and read-only though. Is it still being actively
developed elsewhere?

------
aeonsky
I bought extended car warranty from a company and they subsequently exposed my
VIN, name and email on a publicly shared DB by accident, and its still up. I
don't want to report this to them directly. Anyone know if I can report this
to Firefox Monitor somehow?

~~~
r3bl
Send it to Troy Hunt:
[https://www.troyhunt.com/contact/](https://www.troyhunt.com/contact/)

He's behind Have I Been Pwned, and Firefox Monitor is an alternative interface
for it. I believe he verifies the breaches by contacting a few people in a new
breach that have already signed up for HIBP notifications.

------
mangatmodi
So basically if I put somebody's email address I could know the sites they
have logged in in the past?

And then I can use the leak and get access to their account? Shouldn't this
information be mailed to the email address queried rather than displaying
upfront

~~~
kuzimoto
As topranks mentioned, all this data is already available and anyone could
download it.

However, in most leaks, you can't just use the information as the passwords
are (hopefully) hashed/salted. That said, it is trivial to crack md5 if
passwords are stored using that method.

Also, not all leaks contain passwords, some might just be lists of email
addresses or other information.

~~~
mangatmodi
This is about making is easier to attack a particular person, but privacy
concern. Breaks the anonymity on internet.

~~~
kuzimoto
The companies that were responsible for the data in the first place are ones
to blame for breaking "the anonymity on internet".

Anything that anyone does after the fact is moot.

------
Mistri
I don't understand what the point of this is. HaveIBeenPwned exists, they
acknowledge (and use) their service, and offer the same exact services as they
do. What's the point? It's just a reskin.

------
skilled
So, an email address I use for messaging only has appeared in an "Apollo"
breach. It's nice to have your data floated around by some dick companies that
specialise in "sales intelligence".

Wtf?

------
ksec
Sometimes I wonder if it would be easier if we just start anew. I cant go back
and change every single password with that email address that I didn't use
KeyChain before.

------
Scrantonicity
Previous discussion:
[https://news.ycombinator.com/item?id=18067049](https://news.ycombinator.com/item?id=18067049)

------
cparsons3000
Isn't this the same as
[https://haveibeenpwned.com/](https://haveibeenpwned.com/)?

~~~
c0vfefe
Yes, that's their data source.

------
rgblambda
Tried my email address. Only leak was due to Warframe (which I've played a
total of 15 minutes of back in 2014). Tried my parents email accounts and both
had zero breaches. I know for a fact my mother's email account has been in at
least one data breach so I'm questioning the comprehensiveness of this tool.

------
aquova
Out of curiosity, is there a list somewhere of utilities like this that are
run by Mozilla/Firefox? I don't think I would've heard about Monitor or
Lockwise if I hadn't been on here when someone had posted it, so I'm curious
if there are other useful services by them that I have missed.

~~~
bwat49
Not sure if there's a full list anywhere, but Firefox Send is another nice one

------
albertgoeswoof
If you really want to avoid this, use a different email address for every
service you sign up for. Here’s something I made earlier that helps with this:
[https://idbloc.co](https://idbloc.co)

------
brianbreslin
Does this have an API? I would pay a nominal amount to have this tied to my
1password DB to crosscheck all the emails I use. Since I use a different email
for each site, I'd like this automated.

Also do you think this is the same value as LifeLock?

~~~
mikeiz404
The footer of the results list says “Breach data provided by Have I Been
Pwned” and it looks like Have I Been Pwned has an API here
[https://haveibeenpwned.com/API/v2](https://haveibeenpwned.com/API/v2).

I personally don’t see a benefit to Firefox Monitor, aside from a new channel
of exposure and branding for Firefox, if they are providing the same data Have
I Been Pwned is.

~~~
frosted-flakes
Trust. Mozilla is a relatively well-known trustworthy entity. "Have I been
Pwned" sounds like some shady website that will steal your data. I've
certainly never heard of it before, and Random Randy definitely won't have.

------
leeoniya
would be a lot more helpful if it clarified if it's hashed passwords or
plaintext, also if they were hashed with a site-wide salt or per-user salt.

imo, this distinction is too important to be omitted from a short summary.

~~~
mhaymo
Why is it important? In either case, the correct course of action is to treat
the password as insecure.

------
m52go
Looks like Mozilla is starting to break out again, and it seems they're making
the most of it with recent headlines.

I say they should capitalize on it with the ultimate announcement. Bring back
Firefox OS!

------
Goronmon
31 breaches on my Gmail account that I've had for close to 15 years.

I'm actually surprised it's not more given how many sites/forums/services I've
shared this with over the years.

~~~
emn13
That's only the big ones you know about; it's safe to say there have been many
many more smaller ones; especially if the site was small or desperate enough
to consider a coverup.

------
loop0
It looks like they don't have the Onliner Spambot database, as my email is not
flagged but when I look at the haveibeenpwned website it flags for this spam
list.

------
bcaiv
This is basically a frontend for haveibeenpwned. Creating it costed Mozilla
money. Why did they do this instead of linking directly to the original page?

~~~
proaralyst
Because the Mozilla brand is more trusted than a random website with ‘Pwned’
in its name. Also, it's being built into Firefox so having a website for it
too seems like a good idea.

~~~
Fogest
Well the have I been pwned website is also pretty trusted and is integrated
into 1password. I don't know why Firefox wouldn't just integrate it into the
browser like 1password did with their password manager. Would make more sense
than just being a different front end to an existing site.

~~~
lotu
Pwned is not a standard english word. The vast majority of non-tech non-gamer
non-under 40s are unfamiliar with this word but are familiar with firefox.

~~~
Fogest
You think people of that age are familiar with what a "Fire fox" is? With all
the people I've helped most don't even know a browser outside of the default
on their system.

------
benatkin
I really wish Firefox would focus, and I don't mean Firefox Focus. If they
focused on making it simple, fast, and reliable, it would have a much better
shot at taking market share from Chrome. On top of that, I wish everything on
top of a browser was truly optional - that they didn't have reminders of sync
spread throughout the app, and that they didn't have a Pocket button in the
toolbar unless I logged in with Pocket.

"Find out what hackers already know about you." unnecessarily grinds my gears,
as a hacker (programmer) who wants Firefox to succeed.

~~~
detritus
> If they focused on making it simple, fast, and reliable, it would have a
> much better shot at taking market share from Chrome.

imho, they've already achieved this and have a great browser that's at least
comparably-competent against Chrome.

The battle Mozilla has with Firefox isn't in improving its tech specs, it's in
winning over hearts and minds, and that's a complicated, somewhat costly game.

(I say this as a long-term Firefox user who encourages it with all my friends
and family)

~~~
benatkin
There are only four major browsers, so it isn't about being _a great browser_.

Many try to switch and then some scandal happens, or it just seems as
cluttered as any other browser, and they give up. I think the people who think
Firefox Monitor is a good idea are probably the ones who thought the Mr. Robot
promo was a good idea.

A good browser should stay out of the way. Chrome did for a long time. Having
a "Save to Pocket" button in my toolbar is intrusive.

~~~
emn13
Browsers have tons of feature; you don't need to use the ones you don't care
for.

It's trivial to remove the pocket button - right-click and select "remove from
address bar".

If I might ask - how is a "save to pocket" intrusive? This isn't like any of
the billions of social media buttons you'll come across on the web; it's not a
tracker or anything (and if you do click it, you're going to need to make an
account first; and it's only going to save what you ask it explicitly to
save).

~~~
benatkin
It's intrusive because it takes up space on my screen, and because it's
completely useless without a Pocket account. Thanks for the tip about removing
it from my address bar. Done. It still shows up second in the dot menu, but
it's an improvement. I'd rather it were an extension that was installed by
default that I could uninstall.

~~~
emn13
This isn't at all discoverable, but... [https://support.mozilla.org/en-
US/kb/disable-or-re-enable-po...](https://support.mozilla.org/en-
US/kb/disable-or-re-enable-pocket-for-firefox)

------
danarel
My data was leaked in Verifications.io's breach and I don't think I have even
heard of this company...

------
brians
This is fantastic work, and sets the problem out with high resolution and
clear contrast.

Pity the stand costs so much.

------
hestefisk
I was on 8fit, a fitness app. Was never notified of any breach. Lame.

------
sleepybrett
Oh damn, I thought, based on the name, that this would be a better firefox
task manager .. you know, one that actually functions. Nope.

------
ajnin
Are they doing anything with the email addresses beyond checking they appear
in breach databases ? Are they anonymizing things, for example using some kind
of one-way hash to match email addresses ? Is it GDPR-compliant ? There is not
clear explanation of how they're processing that data as there should be as
email addresses are personal information.

~~~
groovecoder
[https://blog.mozilla.org/security/2018/06/25/scanning-
breach...](https://blog.mozilla.org/security/2018/06/25/scanning-breached-
accounts-k-anonymity/)

------
emanreus
sergey@google.com in 7 breaches larry@google.com in 14 breaches

------
meh206
Mozilla really wants your information these days :(

~~~
freewilly1040
How do you mean? All they are collecting is your email, and the whole point is
to show you that your email (and much more) is already in the wild

------
123jay7
"This email appeared in 17 known data breaches."

How does this help at all? What can I do about it? Some of the breaches are
years old...

~~~
cmg
First, if you know you've reused a password on one of the services listed,
then you know to go change that password everywhere. Everyone should be using
unique passwords and a password manager, but some of these breaches are so old
they're before that was a commonly-used practice.

Second, you can look into each incident to see what exactly was breached --
personal information, payment info, and so on. It's good information to know.

