How does this relate to HaveIBeenPwned.com? Is it a separate effort? Does it have more data? Is it built on top of their data?
I've seen other services (like 1Password) just rely on HaveIBeenPwned because it's pretty solid – seems like it would be nice for the industry to coalesce around it and build these kinds of alerting features on top of it.
> We're Baking Have I Been Pwned into Firefox and 1Password
> Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor".
# How does Firefox Monitor know my information was hacked during a particular breach?
Firefox Monitor gets its data breach information from a publicly searchable source, Have I Been Pwned. If you don’t want your email address to show up in this database, visit the opt-out page.
Yes, exactly. It's on the bottom of every breach page too:
> Breach data provided by Have I Been Pwned
I love that it's a visually engaging and simple way of showing breaches. It's going to be a lot easier to share this with family, then get them on a password manager.
Some bad guys (and it doesn't have to be many) specialise in taking credentials that were leaked (e.g. "bob@example.com has password Superman45") and trying them on every service they can to "crack" more accounts. This is called "Credential stuffing".
Since this can be heavily automated the returns don't need to be large. e.g. maybe you can spend $100 and crack 5000 accounts with a new site that's suddenly hot, you sell one of them with a cool name to some Russian wannabe-star for $50 and the rest to spammers for 10¢ each (you don't care why spammers want stolen accounts, trust me they do though), you just made $450 for almost no effort.
If you use unique passwords everywhere, you don't need to care very much. But most people do not do this. If you _mostly_ use unique passwords, but er, actually your Twitter, a PHP forum you used back in 2010 and your iTunes account all have the same password, when that PHP forum gets hacked credential stuffing means your Twitter and iTunes will soon be raided.
If the site used a _good_ hash, it buys you time in proportion to a combination of how good your password was (how much entropy) and how good the hash was (how expensive hash trials are, multiplied by how much salt was used). If your password was "pass1234" then no matter how great a hash was used, I can guess it was "pass1234" and be correct instantly. If your password was 24 random alphanumerics then even a crap hash like MD5(password) is safe.
And if you use 2FA, then it raises the cost of compromising your account to that of a targeted phishing attack at worst. That's an entirely different threat model.
I've seen other services (like 1Password) just rely on HaveIBeenPwned because it's pretty solid – seems like it would be nice for the industry to coalesce around it and build these kinds of alerting features on top of it.