Hacker News new | past | comments | ask | show | jobs | submit login
Firefox Monitor (firefox.com)
574 points by madhukarah on June 5, 2019 | hide | past | favorite | 215 comments

My email appears in six breaches. Only one of the companies I recognize. I have never done business with the other five.

This pisses me off. Not that the data was stolen -- these things happen. It pisses me off that my data was shared with third parties without my knowledge or consent. And no, a paragraph buried in the basement of a privacy policy does not constitute informed consent.

This system would be more useful if it could report how these companies got my data. I want to know who betrayed me.

It wouldn't be a terrible thing to have privacy legislation that forces companies that sell your data to disclose what information they sold, when, and to whom.

> I want to know who betrayed me.

You can run your own email server (or have a company host a private domain for you), set up a catch-all address that only you know, then use a different email address for every site you sign up to. That way you can find out this sort of information.

Using this technique, I know for example that spammers obtained the address I signed up to Stack Overflow with. The email is not shown on my profile now, and I can't rule out that it wasn't ever shown publicly, but evidence suggests they sold my address to spammers. I also know that spammers crawled my website and found a blog post where I stupidly made up a random address using my domain as part of an example for configuring junk filters (the irony is not lost on me).

Fastmail supports this natively (and is awesome). You can do service@user.yourdomain.com and it will get delivered to user+service@yourdomain.com.

You can use the + trick and . trick with Gmail addresses too. I think Outlook as well supports the + trick. The only downside to this is that there are plenty of sites that don't accept a + either knowingly or unknowingly.

Yeah, that's why Fastmail has that syntax.

The + feature long predates gmail. Here’s an example description from the 1990s http://www.faqs.org/faqs/mail/addressing/index.html

I think StavrosK meant Fastmail has the service@user.yourdomain.com syntax because "there are plenty of sites that don't accept a +", not because Gmail supports the user+service@gmail.com syntax.

That's what I meant, sorry and thank you.

Yes, it's in the SMTP RFC.

To clarify the SMTP RFC (RFC 5321) says that a valid e-mail address is defined in RFC 5322 - Internet Message Format.

RFC 5322 does say that a `+` is a valid character in the local part of an e-mail address.

The `+` character being used for address aliasing is, as far as I can tell, not mentioned in RFC 5321 or RFC 5322

It's apparently a thing now:


It's not.

RFCs don't define any meaning to '+' as described in this thread, except that local part of the address should be interpreted locally (usually by MDA), and preserved unmodified during message transfer.

There's no + aliasing in the specs. There's no interpretation defined for local part of email address.

Oh, yes. I meant "+" is an acceptable character to use in the local part of an email address, as per the RFC. I see now where the misunderstanding lies.

I've been doing this for years with Gmail but the issue with breach notification services like HIBP / Monitor is that you can't add wildcards into your search for notifications, so unless I plug in every me+service@domain email variant in, I could be missing being notified.

this isn't a good anti-spam filter though. + addressing (even the fastmail kind) is trivial to parse and I'm 100% sure email harvesters are aware of it.

They can filter out the boxname part of temporal+boxname@mytld.com, but they can't, in general, filter out boxname@temporal.mytld.com - it would break too many things. I guess it's possible to recognize mail for mytld.com is handled by FastMail, but I'm not sure anyone bothers. In my case, almost all spam I get comes to an alias I have in my Facebook profile, and the rest of it to an alias I put on my website - so in both cases, I assume spammers just scrapped the e-mail address.

Fastmail also lets you use aliases to protect your main address. I only give out an alias with an alt domain - something like spam@jm4.eml.cc, linkedin@jm4.eml.cc, etc. No one has my real address. I basically only use it as my username. I give an alias to family. I just delete the alias or filter it to the trash if I have problems with it.

I'd be surprised if many harvesters are going to bother with rules just for Fastmail domains. First of all, they have a bunch of them. Second, the spammers' objective is to get email into your mailbox. They don't care if they use an alias to get there. Bad actors who got your info in a data breach are a different story, but there's probably some safety in numbers. There could potentially be millions of accounts to go after before they start thinking about reversing my Fastmail alias. Besides, if you use one of the generic ones like qq.com or eml.cc - or even better yet, your own domain - they're not likely to notice anyway.

This isn’t to prevent spam, it is to identify the original leak. If the unique email address you gave to company X is used for solicitations by company Y, company X must have given it away.

Then what?

Depending on my mood and whether the company is local, write a complaint to the company that leaked the address or to an appropriate government institution. In my country, a local computer security news site started a tradition of telling the offending companies that they can either apologize and donate some money to a charity (and send back the proof of payment), or you'll bring the issue up with Personal Data Protection Office, which will be more than happy to fine them.

I usually go for <company>@example.com where <company> is the company I’m handing my address to. After a breach I route that address to /dev/null

That's trivially easy to guess -- and game.

You want something that is sufficiently random that it can't be easily guessed or gamed, but can be quickly and easily determined on your side.

Salted cryptographic hashes might be a good place to start.

Most spammers won't go through the of "gaming" it. There's no upside. There are far easier targets to focus on than sending more mail to a single recipient who is more sophisticated.

After a breach of <company>@example.com, forward it to support@<company.com>.

Don’t give me ideas.

If you live in Europe, you might have a case.

Fastmail way of doing it is better. Some advertisers are already removing + syntax from Gmail addresses.

I think most MTAs support +. Isn't that part of the e-mail standard?

The MTAs do. Many a website won't allow you to use this syntax for a user registration.

It is, but many services will (incorrectly) prevent an address with a `+` in it from ever making it to their database/whatever.

So the fact that the MTA will route it is irrelevant if it never makes it to the MTA in the first place.

> It is [part of the standard]

+ as a magic character to effect routing isn't part of the standard. Mail servers are free to route addresses to mailboxes in whatever manner they see fit. That + can appear as a character in an address is part of the standard, just not the behavior of it; a server that treats a+1@ and a+2@ as distinct emails is conforming, and from a sending side, you cannot know if a+1@ and a+2@ will end up in the same mailbox.

(But you're absolutely right that too many sites fail to parse email addresses. Or rather, they over-parse.)

You can also set up rules like *@example.com, leading to addresses like hn@example.com.

As does Gmail. But not all services supports the + on login forms.

I believe this was part of the email standard?

The email standard does include the +, yes. Here's a talk on the topic:


But yes, that's why Fastmail supports the alternative syntax.

This is what I've done for close to 15 years and I'm generally surprised by how few of my address have been leaked.

I believe they were breached relatively recently. If your jurisdiction doesn't require reporting you might not have gotten notification currently or in the past. They may also not know they're breached.

Reach out to support.

I do this with Fastmail, including specialized subdomains to help me segment the addresses and then distinct email names for each sign up as necessary.

You can also do something similar with Gmail (and probably other providers) using "+" in your username, e.g. "myname+hackernews@gmail.com". This creates a unique email address that delivers to your Gmail account as if the "+<whatever>" were absent. This is more easily defeated if you're a moderately motivated spammer.

If you run your own email, you can catch the moderately motivated spammer: use a character other than + as the segmenter, and a honeypot +.

Here, ‘-’ is the segment character, <me+some@example.com> is the actual delivery address, and <me@example.com> triggers an immediate block.

> <me@example.com> triggers an immediate block.

This doesn't work. I've seen legitimate companies just strip everything from the + onwards.

Well, "legitimate". There's no legitimate reason for a company to remove anything from user-provided e-mail address.

Legitimate reason != legitimate company

Doing something like this is extra work, implying the company in question has either some malicious intent (e.g. spamming, or sharing data with third parties behind users' backs), misguided (e.g. thinking this is a proper way of dealing with user account spam), or just don't give a damn. Either one of these cases reflects badly on such company.

You can reflect it however badly you want, I'm just saying these weren't companies most people would consider shady or cutoff business with over this issue.

Using + isn't the best method as some services just won't allow having + sign in the email address (probably shitty email address detection) and of course spammers can simply strip the alias parts and send you mail.

You'd have a better luck with *@user.your.domain if you can give each user a unique domain.

Are you suggesting buying a new domain for each email address? That could get extremely expensive to maintain.

I bought a single domain @MyEmail.org, and create a new user for each site I sign up with that forwards to my gmail.

1@MyEmail.org, 2@MyEmail.org, 3@MyEmail.org etc...

No. Your case works for a single person but for more people on a single domain, you would want to do,

service1@me.your.domain service1@dad.your.domain

(Instead of me+service1@your.domain)

service2@me.your.domain service2@mom.your.domain

and so on. So, those services have no way of fooling you by tampering with the alias parts.

But of course this isn't easy unless you roll your own mail server.

Thanks for the breakdown. I didn't think about using Sub Domains!

You can also do this with a single email address and the + symbol:

jimmy+facebook@gmail.com jimmy+twitter@gmail.com jimmy+hackernews@gmail.com

all go to jimmy@gmail.com

I used this technique a few times until I realized that spammers and, most importantly, companies that sell their user databases also know about it. So it's actually pretty trivial for them to strip the +something bit before any shady business. Now I don't really care anymore. Most spam are catch automatically anyway. Even when they're not, it's actually a tiny annoyance to me. And what am I going to do if I know for sure that some company sold my data? Sue them? I will most certainly not.

Does a . works as well doesn't it? I can't remember if it gets stripped out or not if the email server isn't expecting it.

Gmail explicitly ignores '.' in email addresses. I don't think it's standard behaviour across other email systems, though, and even gmail didn't always ignore it.

You can't rule out that it wasn't publicly shown but you say that "evidence suggests" that they sold your address to spammers.

Do you have any evidence at all?

For a major grocery chain with a Savers Card program, they wanted my name, phone number, etc. They claimed they would not not sell my data. I made up an imaginary name on the spot:

Joseph Kropholer

1. Six months later websites listed a Joseph Kropholer in my town. Unless I actually happened on a real name, they sold me out.

2. Reading the receipt for my name, the clerks in the check out line would thank me with "Thank you Mr Crap Hole-ermmmm. mumble mumble." Then they realize what they just called me. I did not intend that, but it is constantly funny.

>does not constitute informed consent.

Most contracts that keep modern day businesses running work by pretending uninformed consent counts as consent. If we required true informed consent things would grind to a halt. Which may not be a bad thing.

They wouldn't grind to a halt, but a lot of dishonest businesses would find themselves in a world of trouble. Which is all positive in my books. The market will go as low as people allow it to.

>This system would be more useful if it could report how these companies got my data. I want to know who betrayed me.

The company might not have sold your info. They might have been hacked. There really isn't any way to know for sure FWICT.

I think he means why other five, presumably legitimate, companies have his email address when he never signed-up for them.

My guess is it may be someone like Facebook who used to share "your friends' data" with third-party companies. So one of your friends, who may have your email, allowed a third-party company to get that list of his contacts (including your email) via the Facebook API (which at the time may have allowed this sort of sharing).

Even today, a ton of Android, and until more recently iOS, apps would collect your contact list, which means YOU shared your friends' phone numbers with some random app company. I imagine many of those friends would be pissed off at you for allowing their phone numbers to fall into the wrong hands, too, and now getting spammed all the time (if only they knew how the spam companies got their phone numbers to begin with).

Well, the legitimate companies could have been sold "leads" by other legitimate companies but the original source of the data could have been a hack.

And the only option left is to hunt the breach asking them one by one who's responsible. Use standard requests and beware of panicked personnel, especially if you bypass executives.

Or the info may have been transfered to third party for "legitimate" reasons, and then "stolen" by an employer of said third party. From the second-hand stories I heard personally, this is a common practice with call centres subcontracted by Polish telcos.

Still, it doesn't matter. Whether the company sold the data or got it taken from them, they are still at fault.

So, I 100% agree with you and think a sentence in multi-page privacy policy is not informed consent.

Recently in EU GDPR regulation brought in some strict measures on how consent is requested and how data is shared and managed, I was delighted when websites started sending me emails asking me for content to market and share data.

However I am now seeing a bunch of websites doing the shady tactic of showing a full page pop-up on mobile site with all 30+ checkboxes pre-ticked allowing them full access of my data. Fuck such sites.

Those don't meet the required standard of "an unambiguous indication by clear affirmative action" according to the UK ICO's interpretation of GDPR:


"You cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or a blanket acceptance of your terms and conditions."

What kind of world do we live in where using a free service and agreeing to explicitly documented T&Cs doesn’t constitute acceptance?

“You provided a contract, and I agreed even though I chose not to read it (despite you providing it), and used the service, but I didn’t really mean to agree” is the most ridiculous cop-out, in my view.

> What kind of world do we live in where using a free service and agreeing to explicitly documented T&Cs doesn’t constitute acceptance?

A world where a clause doesn't become valid just because it's in a contract. That's why various jurisdictions rule void kinds of clauses, even in the US. This isn't a new concept.

Actually this is default law in the EU if you are a "customer" and the other party is not. All "surprising" clauses within a T&C document are void.

Firstly a Contract is a Meeting of Minds, the forty pages of small type in a PDF are nice, but it's laughable that you pretend you thought everybody read those before using your free service. And if they didn't read them, they clearly cannot agree with just every random term you threw in there and so it can't all be part of that meeting of minds, so there is not, in fact, a contract with people with those terms.

OK, so what _was_ agreed? Well, a court is going to decide what a _reasonable_ person thought they were getting into, and they'll use legislation (such as that from the GDPR) to help decide that. They'll also keep in mind a theory about relative power. You wrote these T&Cs, so the court is going to conclude that you should have taken that opportunity to add any terms you really cared about. On the other hand the _user_ wasn't able to edit the terms, so really anything they reasonably expected should probably be acceptable.

The GDPR says that you need to have the user explicitly opt in, they get to reasonably assume that's how it works, you can't change that in the text they didn't read.

You might think, "Aha, but I made them check a box saying they agree they read it". Too bad, that doesn't help for a very simple and pragmatic reason:

Judges are people too. When you explain this theory to a judge, who like other people has had to check loads of these stupid "I agree I have read a 400 page document before using this free service" boxes, they are going to look at you like you just said you think they're an idiot.

If you're thinking maybe you can try this on and see for yourself, you'll probably have to be your own lawyer. Certainly in the UK no competent lawyer will take that work. Years ago the UK passed a law banning certain contract terms in "short" residential leases (a "short" lease would be e.g. renting a house for a year). Immediately scumbag landlords wrote new contracts that said basically "I, the under-signed, agree to these terms even though they're not allowed" and then demanded their tenants sign the revised contract instead. Judges were not happy, and I pity the fool who first appeared in front of a judge trying to argue that this was somehow legal when it's obviously not.

If you're so sure your users want to explicitly agree to let you do this, make it a separate opt-in, like the regulation says. When, to your disappointment, they don't want to, that is a _learning opportunity_ for you. Take it.

> Firstly a Contract is a Meeting of Minds

Re: this, I'm still fascinated how a contract that both parties are not aware of the existence of is even allowed to be treated as a contract in the first place. In many cases like local software, when you accept the T&C, the other party has no idea this happened in the first place, so they can't even claim to have a contract with you. That you can have a contract with "informed" consent from a party from a party (and interestingly this is regarding the other party, not you the consumer) that has no information about the contract's existence just blows my mind.

Search for "Carlill v Carbolic Smoke Ball Company" [Carbolic Smoke Balls were advertised as a cure for influenza in the 19th century, you may intuit from the fact that we still don't know how to cure influenza per se that they did not work]. An English Court decided that you can make an offer that you've defined in such a way that you won't receive notice of acceptance, and since /you/ made the offer it's your problem. For Mrs Carlill this meant that buying the product, using it as directed in the advert and then not getting better meant she was now owed £100 (which was a large sum of money in the 19th century) by the advertiser even though they had no idea she'd taken their advertising "reward" literally until she showed up demanding her money.

Probably some other mechanism could have been conjured but in our world this decision means contract law is used to manage situations where two parties would clearly benefit by cutting a deal, yet they never meet. Consider a typical car park. You drive into a sign-posted lot, park your car, and leave. Should we require the owner to have staff present to agree a deal with each user? No, it is enough to post signs explaining the general situation, e.g. "£1 per hour or part hour. Pay at machine. Car Park locked at sunset". A court will look at a situation and imply into existence any more detailed terms needed to handle the case in front of them. Is the car park owner liable for damage caused by stampeding elephants? How about if part of the car park itself falls onto a car? If the machine is broken can you still park? What if some scumbag puts an "out of order" notice on it and collects the money?

The "Meeting of Minds" formulation works very nicely. Suppose I think I'm buying a steak dinner, and you think you're selling me a live cow, once the confusion is realised there was no meeting of minds, no contract is formed. We are both embarrassed and go on our way. In the ideal case, both parties understand clearly what they're agreeing, courts never need do anything whatsoever, a good lawyer's goal in creating written contracts is to ensure this is what happens because courts are expensive and uncertain.

I would recommend seeking out an introductory Contract Law (for non-lawyers) course if you're interested, or in any case if you do freelance work or deal with contracts. Just knowing what Offer and Acceptance are can avoid some nasty situations where you might otherwise need to hire a lawyer after the fact.

Interesting history! Thanks for the explanations. Regarding the woman being owed £100 or the parked car etc., I feel like in an ideal world that kind of thing should be easy to resolve 'correctly' without involving "contracts" at all (which in my mind should be defined more narrowly, more on that below) -- e.g., I (1) would have different requirements for enforcing things in the favor of the same party who wrote the terms rather than against them, and (2) feel you can resolve these situations by lumping them into other categories than contracts (if you could define contract law to accommodate this), like maybe "false advertising", "bet", "fraud", "sale"/"purchase", "unfair competition", etc.

The reason is that I feel a "contract" should be limited to conscious agreements on both sides -- and currently, we have contracts where neither is aware of both (one side doesn't know existence, other side either doesn't realize it's a contract or doesn't know all the terms), which is rather... nuts. Why do I think it should be limited to these situations? For a number of orthogonal reasons:

[1] Rules in a contracts are "open" sets rather than closed, so to speak. With something like false advertising, the rules are already set, and (at least in theory) their consequences have been brought up by various parties and taken into consideration by the government, and people just have to play by them. But with a "contract", you're letting arbitrary people make more or less arbitrary rules. Well, it seems natural that if you want to enter the rulemaking business -- society should have a reasonably high bar for that, since after all you intend to later be able to use the same society's government/legal system to enforce your more or less arbitrarily powerful terms against the other party. Requiring that all parties at least be consciously involved and aware of the rules really seems like the least you could do to demonstrate you should be making rules for someone else to play by.

[2] I think the traditional sit-down/signing/handshake is the image most people traditionally think of when they hear "contract", where both parties are aware of its existence and terms, (rather than, say, a parking lot or a ticket purchase). So treating it like this just makes the law reflect the reality that people would expect, which seems like a good thing on its own.

[3] There's an inherent power imbalance simply by virtue of the fact that, quite often, one side has to spend 1/#contracts'th the amount of resources per contract compared to the other, since once you write the contract for the first person then there's next to zero cost for everyone else -- and hence it encourages you to make the terms long and unfair, so that it's not worth it to the other side to challenge them. Really, I see it as something that should be practically a moral duty: if you want to have a fair "contract", with all the force of law behind it, you have to set both parties on equal footing, having humans involved on both sides and aware of everything is really the least both parties can do. It may seem radical... but can you just imagine if every company that wanted to put unfair terms in its contract had to have a representative explicitly tell the average Joe about this and have him consent to it explicitly (instead of just giving him N sheets of paper and having him sign in large blocks he obviously won't read)? People would get so upset and/or would have so much of their time wasted all the time, which introduces inherent friction and negative feedback into this route. It's just so much harder to spend 30 minutes explaining to someone that they have to sacrifice two arms and a leg if they buy your software than to just give them 10 sheets of paper to read while you move on to the next customer.

So these are why I'm not such a huge fan of lumping everything into the "contract" category... they often just seem wrong on so many of these levels.

Is your issue that it’s 40 pages? Is your issue the font size?

What are the criteria that make terms by which one accesses a service irrelevant? At what point does the service provider’s consent not matter?

Your last paragraph seems to assume I am a service provider. I am not. I just think that people should be bound to the things to which they explicitly agree.

Does the “user must scroll to the bottom of the terms and tick a box affirming that they read and have agreed” serve as sufficient consent in your book?

Courts _might_ decide that some terms are acceptable if they are particularly brought to the other party's attention. Bold type and larger fonts are one way to achieve that in a written contract that a court reasonably concludes you would/ should have actually read. Legislation sometimes explicitly requires that a term is highlighted this way.

You're just not going to sell a court on the theory that your free web service has a contract everybody is actually going to read -- so it won't matter how many pages or how large the typeface is.

People being "bound to the things to which they explicitly agree" is actually a problem for a reason I'll get to in a moment, but beyond that the problem for online services and other trivial contracts is that nobody really "explicitly agrees" to them, saying something doesn't make it so, or else all those things Jefferson claimed to be "self-evident" truths wouldn't require any effort to uphold.

Now, even when we actually _have_ agreement, not just somebody clicking OK to make the computer stop bugging them, we still run into a problem. Some terms are inherently prohibited in our society. You simply cannot agree to them even if you want to.

> The GDPR says that you need to have the user explicitly opt in,

No it doesn't.

One of the recent big breaches was from Apollo and when I searched for information on that, I found that they built their database from scraping the web.

> It pisses me off that my data was shared with third parties without my knowledge or consent

But you knew when you signed up to everywhere you've ever signed up that you were giving them uninformed consent to do whatever they want with your data and metadata, and you knew that they would do whatever they want, including not bothering to effectively protect your data.

And yet you signed up.

And so have I. But since this kind of thing has become front of mind the last few years, I sign up for very few to none services anymore. At signup, my first thought is "Is this service important enough to lose my money and identity for?" The answer is virtually always no.

If we stop signing up for stuff, stuff will improve or die. Both outcomes are equally good.

I checked my email address and it says my data was lost by verifications.io. I've never heard of that site before and going there didn't reveal any clues.

I googled the name and found a report [1] on the breach. They lost control of records on 2 billion email addresses.

[1]: https://www.forbes.com/sites/daveywinder/2019/03/10/2-billio...

It sounds like this was email addresses only, and they're very shady about how they acquired this information in the first place.

"The real question that the researchers and Troy Hunt, founder of Have I Been Pwned?, want to know is how Verifications.io got its hands on all of this information in the first place. The Estonian-based company has refused to respond to questions from different news outlets and has taken down its entire website as of March 4, 2019. " [1]


"Verifications.io ensures third-parties’ email marketing campaigns are being sent out to verified accounts, and not just fake emails. " [1]

[1]: https://www.idtheftcenter.org/763-million-records-exposed-in...

The premise of the company explains how they got the information. Marketing teams at hundreds of other companies sending over their lists to the site to see if some of their emails are fake.

I had similar with a website called Apollo. Story linked below[1].

Edit: Their opt out page and main site[2]. Notably, Firefox Developer Edition warned me and linked me to the main Firefox Monitor page, so it's something that's being built into Firefox.

[1] https://www.wired.com/story/apollo-breach-linkedin-salesforc...

[2] https://www.apollo.io/privacy-policy/

Interesting, thanks for linking the story. I also had the same experience with Apollo.

Its frustrating since I never signed up for their services, and I have no control over who my data is sold to... Its getting to the point where I just assume all my data is pwned, and change passwords frequently

Seems like all the cold calling useless recruiters and sales people built up extensive databases on their clients via this company and then promptly let all that data leak.

I had the same, for all three emails I checked (primary, backup and day-job) -- and I'd never heard of it before either.

From your linked article: "This company validates bulk email lists for companies wanting to remove inactive addresses from newsletter mailouts."

What if the companies 'losing' data would be court ordered to pay a reasonable sum per lost record, lets say one Dollar, to a charity.

The outcome would have been the same. They went out of business a few days after the breach was announced.

I'm in that list as well, don't remember ever signing up for it.

Same here

I wonder how I can send them my GDPR request. Any ideas?

How does this relate to HaveIBeenPwned.com? Is it a separate effort? Does it have more data? Is it built on top of their data?

I've seen other services (like 1Password) just rely on HaveIBeenPwned because it's pretty solid – seems like it would be nice for the industry to coalesce around it and build these kinds of alerting features on top of it.

I'm pretty sure it's a partnership with HaveIBeenPwned: https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...

> We're Baking Have I Been Pwned into Firefox and 1Password

> Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor".

Great News! I looked for that on their site but may have missed it.

At the bottom of the results page:

Breach data provided by Have I Been Pwned

> Is it built on top of their data?


# How does Firefox Monitor know my information was hacked during a particular breach?

Firefox Monitor gets its data breach information from a publicly searchable source, Have I Been Pwned. If you don’t want your email address to show up in this database, visit the opt-out page.


When you submit your email after the breaches list there's this notice "Breach data provided by Have I Been Pwned", so I guess it's a joint effort.

Yes, exactly. It's on the bottom of every breach page too:

> Breach data provided by Have I Been Pwned

I love that it's a visually engaging and simple way of showing breaches. It's going to be a lot easier to share this with family, then get them on a password manager.

HaveIBeenPwned provides the same notification service.

So why is Mozilla running an email harvesting campaign?

Basically just a reskin.

I find spycloud a lot more useful as website tbh. They at least tell you explicitly which passwords were leaked.

How does the password matter though? Won’t it usually be some hashes anyway and if you are breached you should just change your password anyway.

Some bad guys (and it doesn't have to be many) specialise in taking credentials that were leaked (e.g. "bob@example.com has password Superman45") and trying them on every service they can to "crack" more accounts. This is called "Credential stuffing".

Since this can be heavily automated the returns don't need to be large. e.g. maybe you can spend $100 and crack 5000 accounts with a new site that's suddenly hot, you sell one of them with a cool name to some Russian wannabe-star for $50 and the rest to spammers for 10¢ each (you don't care why spammers want stolen accounts, trust me they do though), you just made $450 for almost no effort.

If you use unique passwords everywhere, you don't need to care very much. But most people do not do this. If you _mostly_ use unique passwords, but er, actually your Twitter, a PHP forum you used back in 2010 and your iTunes account all have the same password, when that PHP forum gets hacked credential stuffing means your Twitter and iTunes will soon be raided.

If the site used a _good_ hash, it buys you time in proportion to a combination of how good your password was (how much entropy) and how good the hash was (how expensive hash trials are, multiplied by how much salt was used). If your password was "pass1234" then no matter how great a hash was used, I can guess it was "pass1234" and be correct instantly. If your password was 24 random alphanumerics then even a crap hash like MD5(password) is safe.

And if you use 2FA, then it raises the cost of compromising your account to that of a targeted phishing attack at worst. That's an entirely different threat model.

Love that site... current authentication manager I'm looking at will use their api for breach checking with the set/change password options.

Apparently MyFitnessPal had their data breached, and my email address/password was in it.

Checking my emails, I can't see anything from them about this. Loads of the usual marketing crap, but nothing about a breach.

Not cool!

Same, for me it was them and Apollo. I can't find anything about either of them in my mail, but both claim to have notified their customers. That's very suspicious. I don't delete anything... Perhaps it found its way into my spam and got auto-deleted (entirely possible with Apollo, seems very unlikely with MFP).

I got a notification from Myfitnesspal titled "Important Message Regarding MyFitnessPal Account Security", so they at least sent out some.

Also got mine leaked from FitnessPal and Apollo and them only. No idea what Apollo is or how they got my stuff. Any idea what it is?

A link to each service's website would be awesome in the breach report on FireFox Monitor.

Had the same. Seems Apollo is https://www.apollo.io - you were probably entered as a sales lead.

I found the email:

    From: "MyFitnessPal" <donotreply@mfp.underarmour.com>  
    To: [me]  
    Subject: Important Message Regarding MyFitnessPal Account Security  
    Date: Thu, 29 Mar 2018 18:18:57 -0600

Disclaimer: Firefox Monitor dev here.

Note: We just released a "V2" of the site that allows you to add multiple email addresses to monitor, and (then) to have all your breach alerts sent to your single primary email address.

Oh the irony if my email becomes breached for using Mozilla's service.

In all seriousness I have faith in you guys for the most part (storing my bookmarks and sharing the browsing sessions across browsers).

The sync data is said to be locally en/de-crypted. The same couldn't be true of the monitored addresses - a hash might be possible but then the alert wouldn't be certain merely probable and couldn't be reasonably sent.

Nice work! Small suggestion -- it would be nice to be able to to have the notification sent to the breached email and the primary email

Would it be possible to handle email addresses with the + trick?

E.g. you can supply your email address as foo+bar@<domain> and mail sent to that address will be routed to foo@<domain> by some providers like gmail and protonmail.

But then that means enumerating every + address you use (I almost exclusively do this).

Thoughts? I know this came up in a HIBP forum and I think Troy Hunt took the position of too much work for 0.1% of users, many of whom are likely technical enough to use a password manager and do this enumeration if they wanted.

UI/UX complaint: on some breaches for one of my e-mails, I see entries saying "Compromised data: passwords". It's only slightly useful and makes me spend time searching reading the details. "Plaintext passwords" != "Unsalted password hashes" != "Salted password hashes". The qualifiers here would be immensely useful.

Also, what's with the cards here? I can't select any of the text on them.

Are there plans to monitor an entire custom domain?

Just use the site where Firefox is getting their data from, they have a domain feature: https://haveibeenpwned.com/DomainSearch

I would love this as well. I use website-im-on@mydomain.com for every login. Being able to monitor my entire custom domain would be great. I assume it would require some sort of DNS verification or something.

Does the email detector ignore dots in Gmail addresses?

I was able to add my first.m.last@gmail.com and firstmlast@gmail.com as separate emails.

I know that might complicate your detection system, it just might miss some breaches for people who use both.

Is there a place to report bugs?

If not: I added an email address to monitor, and the verification email said:

> We sent this message to $userEmail because the email address opted into alerts from Firefox Monitor.

Note the `$userEmail`.

Just signed up, and it send breach notifications to individual emails, not the main one...

Still, great job!

Your initial report emails will always go to the affected email addresses.

But future breach alerts will be sent to the Primary address. (If you select that in your preferences.)

Ah, OK. I expected that if I add a new address when already having the preference set for sending notices to the main one, they would go to the main one.

Looks nice, thanks. Why do I need a Firefox account to monitor my email?

Are there any plans of including Monitor directly into the browser?

Mozilla and Apple, lately, are the only companies I trust my data to. Nice to see more from both.

I find it difficult to trust Apple for security considering their morally bankrupt behaviour in rest of their business. They have proven their sole principle is monetary, so I find it difficult to perceive their recent claim to care about user security as anything beyond opportunism.

I can’t think of a big tech device company that’s any less driven by money than apple. What makes them so unique, in your mind? In my experience I’ve had less unwanted tracking and advertising, and better support compared to other phone and laptop manufacturers I used to buy from.

Not everything needs to be a "big tech company", but you are right big tech companies are quite similar in this respect. At critical mass capitalism seems to cause companies to lose their driving principles that made them unique - their behaviour becomes more of a mindless ecology driven solely by money.

Now look at Mozilla, it's a non profit, look at everything it does, they have never lost their principles. They will never reach the scale of Apple, Google or Microsoft, and that's a good thing.

> What makes them so unique, in your mind?

Beyond the negatives that come at their scale, Apple are doing some systematically deceitful things directly to customers that make them stand out from other companies ([edit] talking about their attitude towards customers with defective hardware). If they think that little of individual customers, how could they possibly care about an individuals privacy?

> Now look at Mozilla, it's a non profit, look at everything it does, they have never lost their principles.

I take issue with this. Mozilla has a corporate arm and they're the ones in control of Firefox marketing and development. Take for example the fact that they were (most likely) paid to install an extension to advertise a TV show.

Apple has yet to display any ads to me on my Mac, unlike Microsoft in Windows. I think your criticisms are well intended, but your conclusions are way off.

That's just for legal reasons. Profits from the Corporation are put in to the Foundation. There are no shareholders making money.

Mozilla weren't paid for Mr Robot. Their finances are made public.


> It owns a taxable subsidiary: the Mozilla Corporation [...] The subsidiary is 100% owned by the parent, and therefore follows the same non-profit principles

The downvotes might be because you responded to a request for more detail with:

> I don't think I need to explain what those are...

Why don't you humor us and give some examples anyways?


This is just one example, In general when Apple hardware fails from any kind of defect, one of two things happens:

1. They blame the customer and suggest replacing large portions of the computer (unnecessarily) at such a high cost as to justify recommending buying a new machine.

2. In the rare cases they have been publicly pressured into admitting fault, they will replace parts with newer parts with the same defect and repeat this cycle until out of warranty or the customer just gives up.

For the cases where the user is to blame for damage, #1 is also applied, this would not be such an issue if Apple wasn't also lobbying against independent repair shops and seizing their parts under false claims of trademark violations.

They are deceitful... there is no way around it.

I didn't downvote, but yeah, not sure what the poster is getting on about.

Personally, I think Apple is significantly different than the other company with respect to customer data, etc.

Apple Pay, iOS vault, etc., come to mind.

A large chunk of their marketing nowadays is around privacy and it looks like it's more and more in their priorities, and Apple is a company that has historically loved by suckling at their customers sweet wallety nectar.

So yeah even if they're driven by money, their best interest is aligned with their customers'- living up to the promise that your data is yours with them.

The other thing is that there seems to be a better chance at being private with a company that does not start its promise by telling they want to know everything about you and "index the world"

Yup. They're in privacy because their biggest competitor is Android and this is their best angle. Tech advancements for phones are ho-hum at this point, so this is how they compete with carrier-based incentives for android phones on upgrade.

That's all fine and good, but privacy is a float, not a bool, and let's not assume Apple's going to go any further than they have to. They won't ever ask their users to do something inconvenient to get better privacy. They're not discussing specific threat models that they're trying to protect their users against. Just features that they support in specific use cases.

Which may sound like a hollow problem, but it leaves each user to deal with understanding all the threats they're under and what measures they should take. That's fertile ground for an adaptive adversary to work with.


I’m not the person you responded to, but I found your comment needlessly imflammatory. In regards to privacy, they aren’t brilliant, but they are probably the best of a bad bunch for most users. Chrome is very anti privacy, as is edge. Android is anti privacy. By elimating 90% of the market in this way, it’s fair to say the only remaining big players in either field are better for privacy than the standard.

It would be helpful to include a link to the services somewhere. I only figured out this was for apollo.io because of a comment on HN: https://monitor.firefox.com/breach-details/Apollo

I agree, it would be helpful. At least Firefox Monitor does give you a way to find more details, by linking to https://www.haveibeenpwned.com/. If you click from that page to https://haveibeenpwned.com/PwnedWebsites and search the page for a company name, you will find more details about it.

Have I been pwned prompted me to abandon my old addresses and switch to a provider that allows trash mails and email aliases.

Originally my address was breached by Dropbox and Kickstarter.

It took me many months to switch over, as I did not have a complete list of all services I had registered with.

So for many average people switching email adresses is often a very difficult task, so people keep them even in light of breaches.

More important for the average user is to have a good password management system and know whether a certain password has been hacked.

There are just so many problems.

Traditional authentication methods have failed us. I'm still waiting for a reasonable alternative, but the best we've come up with are things like 2FA and magic links?

Companies insist on sucking as much data out of their users as possible. What are your options? Hand over your personal information and give hackers a reason to attack your favorite services? Create a million different phone numbers, burner addresses, and fake personas? How exhausting.

Then there's the problem of treating data like SSNs, phone numbers, and legal names as private. These things could be public if central authorities could do their jobs correctly, but we've shifted the blame of e.g. "identity theft" to the end user who ultimately has no control over this stuff.

Further, official ID/passport/etc. scans are required of so many transactions and I guarantee my slumlord does not follow good security practices so what can I do other than sit like a duck? Monitors like this are a noble effort, and I'll definitely use them, but it sucks that it's come to this.

If it's using the haveibeenpwned service then why does it say my email has been found in less number of data breaches compared to the number on the haveibeenpwned site (11 vs 14)?

By default we don't show:

* Sensitive Breaches * "Retired" Breaches * Spam Lists * Fabricated Breaches * non-Verified Breaches


Apollo whom I've never had any dealings with whatsoever have compromised my details. Absolutely fucking outrageous.

Same here, I never heard of Apollo and I have 0 emails from them in my email account. Yet it looks like they leaked both email address and (and this sucks a lot) phone number.

Looks like this doesn't include another feature of HaveIBeenPwned. Its cracked password hash database. If you trust their JavaScript, you can type in your passwords and see if they are on the list. If you're a little more paranoid you can download the hashes and do your own search.

Since this service appears to be deliberately aimed at non-tech-savvy users, I get the impression that Mozilla is trying to not normalize the practice of submitting your passwords to third-party websites. It also nimbly sidesteps any questions of "why should I trust firefox.com with my password"; you don't need to, because you're not giving it to them.

Disclaimer: Monitor dev here ...

Watch this space: https://github.com/mozilla/blurts-addon/issues/142


That repo is archived and read-only though. Is it still being actively developed elsewhere?

Well with the API it’s pretty easy to test your password. You just have to hash it, send the 5 first characters and it returns the list of the hashes starting with those 5 characters.

You then just check.

It's easy if you know what you're doing. I don't think my mother could do this.

You are completely right, but I was answering to parent post.

I don’t think your mother, or mine, can ask herself this question of trusting the JavaScript or not :-)

Mozilla have a password saving app, not checked but I wouldn't be surprised if that is a feature and may have inspired this collaboration.

I bought extended car warranty from a company and they subsequently exposed my VIN, name and email on a publicly shared DB by accident, and its still up. I don't want to report this to them directly. Anyone know if I can report this to Firefox Monitor somehow?

Send it to Troy Hunt: https://www.troyhunt.com/contact/

He's behind Have I Been Pwned, and Firefox Monitor is an alternative interface for it. I believe he verifies the breaches by contacting a few people in a new breach that have already signed up for HIBP notifications.

So basically if I put somebody's email address I could know the sites they have logged in in the past?

And then I can use the leak and get access to their account? Shouldn't this information be mailed to the email address queried rather than displaying upfront

It’s already publicly available in the dumps Mozilla are searching on your behalf. They’re only making a front end to already public info.

As topranks mentioned, all this data is already available and anyone could download it.

However, in most leaks, you can't just use the information as the passwords are (hopefully) hashed/salted. That said, it is trivial to crack md5 if passwords are stored using that method.

Also, not all leaks contain passwords, some might just be lists of email addresses or other information.

This is about making is easier to attack a particular person, but privacy concern. Breaks the anonymity on internet.

The companies that were responsible for the data in the first place are ones to blame for breaking "the anonymity on internet".

Anything that anyone does after the fact is moot.

This is a fair point and it has to be weighed against the value of the data to the individual. I generally feel they have struck the correct balance but if you think different approach is warranted you should explain it and why it better balances these different needs.

I don't understand what the point of this is. HaveIBeenPwned exists, they acknowledge (and use) their service, and offer the same exact services as they do. What's the point? It's just a reskin.

So, an email address I use for messaging only has appeared in an "Apollo" breach. It's nice to have your data floated around by some dick companies that specialise in "sales intelligence".


Sometimes I wonder if it would be easier if we just start anew. I cant go back and change every single password with that email address that I didn't use KeyChain before.

Isn't this the same as https://haveibeenpwned.com/?

Yes, that's their data source.

Tried my email address. Only leak was due to Warframe (which I've played a total of 15 minutes of back in 2014). Tried my parents email accounts and both had zero breaches. I know for a fact my mother's email account has been in at least one data breach so I'm questioning the comprehensiveness of this tool.

Out of curiosity, is there a list somewhere of utilities like this that are run by Mozilla/Firefox? I don't think I would've heard about Monitor or Lockwise if I hadn't been on here when someone had posted it, so I'm curious if there are other useful services by them that I have missed.

Not sure if there's a full list anywhere, but Firefox Send is another nice one

If you really want to avoid this, use a different email address for every service you sign up for. Here’s something I made earlier that helps with this: https://idbloc.co

Does this have an API? I would pay a nominal amount to have this tied to my 1password DB to crosscheck all the emails I use. Since I use a different email for each site, I'd like this automated.

Also do you think this is the same value as LifeLock?

The footer of the results list says “Breach data provided by Have I Been Pwned” and it looks like Have I Been Pwned has an API here https://haveibeenpwned.com/API/v2.

I personally don’t see a benefit to Firefox Monitor, aside from a new channel of exposure and branding for Firefox, if they are providing the same data Have I Been Pwned is.

Trust. Mozilla is a relatively well-known trustworthy entity. "Have I been Pwned" sounds like some shady website that will steal your data. I've certainly never heard of it before, and Random Randy definitely won't have.

1password already is integrated with Have I Been Pwned, which sounds like the same dataset that this is using. I believe it's exposed via Watchtower in the app. (https://1password.com/haveibeenpwned/)

would be a lot more helpful if it clarified if it's hashed passwords or plaintext, also if they were hashed with a site-wide salt or per-user salt.

imo, this distinction is too important to be omitted from a short summary.

Why is it important? In either case, the correct course of action is to treat the password as insecure.

Looks like Mozilla is starting to break out again, and it seems they're making the most of it with recent headlines.

I say they should capitalize on it with the ultimate announcement. Bring back Firefox OS!

31 breaches on my Gmail account that I've had for close to 15 years.

I'm actually surprised it's not more given how many sites/forums/services I've shared this with over the years.

That's only the big ones you know about; it's safe to say there have been many many more smaller ones; especially if the site was small or desperate enough to consider a coverup.

It looks like they don't have the Onliner Spambot database, as my email is not flagged but when I look at the haveibeenpwned website it flags for this spam list.

This is basically a frontend for haveibeenpwned. Creating it costed Mozilla money. Why did they do this instead of linking directly to the original page?

Because the Mozilla brand is more trusted than a random website with ‘Pwned’ in its name. Also, it's being built into Firefox so having a website for it too seems like a good idea.

Well the have I been pwned website is also pretty trusted and is integrated into 1password. I don't know why Firefox wouldn't just integrate it into the browser like 1password did with their password manager. Would make more sense than just being a different front end to an existing site.

Pwned is not a standard english word. The vast majority of non-tech non-gamer non-under 40s are unfamiliar with this word but are familiar with firefox.

You think people of that age are familiar with what a "Fire fox" is? With all the people I've helped most don't even know a browser outside of the default on their system.

Yea that's what I noticed. Do they use any additional sources at least?

I really wish Firefox would focus, and I don't mean Firefox Focus. If they focused on making it simple, fast, and reliable, it would have a much better shot at taking market share from Chrome. On top of that, I wish everything on top of a browser was truly optional - that they didn't have reminders of sync spread throughout the app, and that they didn't have a Pocket button in the toolbar unless I logged in with Pocket.

"Find out what hackers already know about you." unnecessarily grinds my gears, as a hacker (programmer) who wants Firefox to succeed.

> If they focused on making it simple, fast, and reliable, it would have a much better shot at taking market share from Chrome.

imho, they've already achieved this and have a great browser that's at least comparably-competent against Chrome.

The battle Mozilla has with Firefox isn't in improving its tech specs, it's in winning over hearts and minds, and that's a complicated, somewhat costly game.

(I say this as a long-term Firefox user who encourages it with all my friends and family)

There are only four major browsers, so it isn't about being a great browser.

Many try to switch and then some scandal happens, or it just seems as cluttered as any other browser, and they give up. I think the people who think Firefox Monitor is a good idea are probably the ones who thought the Mr. Robot promo was a good idea.

A good browser should stay out of the way. Chrome did for a long time. Having a "Save to Pocket" button in my toolbar is intrusive.

Browsers have tons of feature; you don't need to use the ones you don't care for.

It's trivial to remove the pocket button - right-click and select "remove from address bar".

If I might ask - how is a "save to pocket" intrusive? This isn't like any of the billions of social media buttons you'll come across on the web; it's not a tracker or anything (and if you do click it, you're going to need to make an account first; and it's only going to save what you ask it explicitly to save).

It's intrusive because it takes up space on my screen, and because it's completely useless without a Pocket account. Thanks for the tip about removing it from my address bar. Done. It still shows up second in the dot menu, but it's an improvement. I'd rather it were an extension that was installed by default that I could uninstall.

It's also trivial to keep using Chrome and that's what the vast majority of users are going to do.

Mozilla's promotions on HN/reddit won't amount to much.

Perhaps this is their focus. Not FF monitor, but privacy. Going up against/with Apple as a privacy-conscious alternative to Chrome etc. From that viewpoint, this is in line with that.

It's currently taking away from it being a good browser. When I go to a new site I get this atrocious animation: https://superuser.com/questions/1438488/disable-firefox-cont...

You may find your priorities as to what constitutes a good browser are not universal. Having a content blocker may be more important to many people than a tiny animation most people will barely notice. And... if you're not immediately used to a content blocker it's not a crazy idea to have something that actively draws a tiny bit of attention to the fact that something altered the page you saw, because content blockers do sometimes break pages, and thus users need to be able to find a way to disable it, certainly while the feature is still fairly new.

I think it's fair to say that you're never going to find a set of features and UI that have universal appeal, but if the UI really distracts you even after the first few times (I honestly don't notice it anymore), you could suggest a feature that allows disabling the icon or at least turning off the animation. Sounds like a reasonable request to me at least...

Just because people don't notice the animation doesn't mean they aren't affected by it. The smallest distractions can cause a loss in focus. A web browser is a tool I use for work, and it isn't just about what I want, it's about what I need.

My data was leaked in Verifications.io's breach and I don't think I have even heard of this company...

This is fantastic work, and sets the problem out with high resolution and clear contrast.

Pity the stand costs so much.

I was on 8fit, a fitness app. Was never notified of any breach. Lame.

Oh damn, I thought, based on the name, that this would be a better firefox task manager .. you know, one that actually functions. Nope.

Are they doing anything with the email addresses beyond checking they appear in breach databases ? Are they anonymizing things, for example using some kind of one-way hash to match email addresses ? Is it GDPR-compliant ? There is not clear explanation of how they're processing that data as there should be as email addresses are personal information.

sergey@google.com in 7 breaches larry@google.com in 14 breaches

Mozilla really wants your information these days :(

How do you mean? All they are collecting is your email, and the whole point is to show you that your email (and much more) is already in the wild

This is a useful service that can help improve security for a lot of people. If you don't want to use it, fine, ... don't use it.

"This email appeared in 17 known data breaches."

How does this help at all? What can I do about it? Some of the breaches are years old...

First, if you know you've reused a password on one of the services listed, then you know to go change that password everywhere. Everyone should be using unique passwords and a password manager, but some of these breaches are so old they're before that was a commonly-used practice.

Second, you can look into each incident to see what exactly was breached -- personal information, payment info, and so on. It's good information to know.

Change all your passwords with randomly generated passwords.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact