Mozilla is now offering the ability to check if Firefox users have been the victim of data breaches through the new Firefox Monitor service. The service uses the dataset of the popular website Have I Been Pwned? (HIBP), which collects and analyzes the database dumps disseminated in the darker corners of the internet. From this dataset, both users of HIBP and Mozilla’s Firefox Monitor service are able to sign up for email alerts to be notified if their email address appears in future dumps.
Have I Been Pwned was created by Australian security researcher Troy Hunt in December 2013, and has since amassed 2 million subscribers to the email notification service. However, Hunt admitted in a blog post that this is “only a tiny, tiny drop in the ocean,” which is “barely scratching the surface.” In the interest of fostering wider awareness of good password and security hygiene, the website offers a freely accessible API to integrate information derived from HIBP into other services.
Among these include the Breach Alerts feature in Firefox–first covered by TechRepublic’s Conner Forrest last November–which highlighted if a visited website was previously involved in a data breach.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
At the time, the Firefox Monitor service was in development. In his post about the service, Hunt noted that “Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream,” adding that “I’m really happy to see Firefox integrating with HIBP in this fashion, not just to get it in front of as many people as possible, but because I have a great deal of respect for their contributions to the technology community.”
Firefox’s new service also takes measures to not disclose which email addresses are being searched to HIBP. Using a model originally developed by Junade Ali for password lookups, all lookups performed through Firefox Monitor are performed using hashing prefixes. Hunt explains the model in this blog post about Firefox integration:
When searching HIBP for a password, the client SHA-1 hashes it then takes the first 5 characters and sends this to the API. In response, a collection of hashes is returned that match that prefix (477 on average). By looking at the hash prefix sent to the service, I have no idea what the password is. It could be any one of those 477 or it could be something totally different, I don’t know. Of course, I could always speculate based on the prevalence of each password but it would never be anything more than that – speculation.
Mozilla’s announcement comes as part of a renewed emphasis on privacy following the launch of Firefox Quantum. Facing falling market share compared to Chrome, Mozilla has focused on performance improvements and security and privacy enhancements out-of-the-box.
Firefox now blocks cryptocurrency mining scripts by default, as well as provides methods to block alert requests by default, and strips referrers when using Private Browsing mode. Mozilla also offers the Facebook Container extension, which prevents Facebook from tracking people around the web by isolating Facebook identities into a seperate container from other browsing activities.
This increased attention to good security practices and hygiene can be beneficial for enterprise IT departments finding themselves facing resistance from users unaware of the risks of recycling the same password across multiple websites. While IT pros are likely aware of HIBP, the general public is less likely to be aware of this service.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Mozilla is now offering the ability to check if Firefox users have been the victim of data breaches through the new Firefox Monitor service.
- Firefox’s new service also takes measures to not disclose which email addresses are being searched to HIBP by using hashing prefix comparisons.