Authentication and the Have I Been Pwned API

All this seems to be hinting more than ever, that the time to provide these results directly and exclusively to the email address being queried is approaching.<p>Why is this API being abused? Because it provides valuable information—which took a significant amount of effort to curate—about an email address.<p>The list of services which have lost my (hashed or not) password at some point ever in the past eventually turns into a list of every service I’ve ever subscribed to.<p>Whether or not it’s possible to scrape that information together, is it really something that should be available to pull over an API for a million emails a month?<p>Note this is very different information than the password breach count, which gives you an approximate count of how many times a given password has been breached, and works as a proxy for password strength without disclosing any PII.

&gt; Making an authenticated call is a piece of cake, you just add an hibp-api-key header as follows:<p>&gt; GET <a href="https:&#x2F;&#x2F;haveibeenpwned.com&#x2F;api&#x2F;v3&#x2F;breachedaccount&#x2F;test@example.com" rel="nofollow">https:&#x2F;&#x2F;haveibeenpwned.com&#x2F;api&#x2F;v3&#x2F;breachedaccount&#x2F;test@examp...</a><p>&gt; hibp-api-key: [your key]<p>Wouldn&#x27;t the standard Authorization: Bearer &lt;key&gt; header be more compliant?

I wish the post made more clear, ideally right at the top, that the new fee applies only to third-party apps that access the HIBP API, not to end users whose email addresses are being checked against the API. You have to read through the post a bit before that becomes clear.<p>Individual users who just want to figure out whether they&#x27;ve been pwned will not have to pony up the cash. They can still visit <a href="https:&#x2F;&#x2F;haveibeenpwned.com" rel="nofollow">https:&#x2F;&#x2F;haveibeenpwned.com</a> and get that information for free.

&gt; Late last year after seeing a similar pattern with a well-known hosting provider, I reached out to them to try and better understand what was going on. I provided a bunch of IP addresses which they promptly investigated and reported back to me on<p>I&#x27;d love to know how to get a hosting provider to actually <i>answer</i> such requests. (I hope the answer isn&#x27;t just &quot;be high profile&quot;. I&#x27;m hoping the answer is more like &quot;know the right people to contact or the right phrasing to get through first-line support&quot;.)<p>I&#x27;ve reached out to hosting providers before, providing clear logs of malicious activity, and either gotten no answer, or occasionally gotten a rote &quot;prove it came from us&quot; that would trivially have been answered by actually reading the logs.<p>(Examples of such logs include SSH brute-forcing attempts, HTTP logs showing attempts to exploit web-app security holes, and spam headers showing the IP that contacted my provider&#x27;s mail server.)<p>I&#x27;ve mostly stopped even trying, due to the near-zero response rate.<p>In an ideal world, I&#x27;d love to see reports like this lead to &quot;we can confirm and we&#x27;ve shut down outbound traffic from that system until it gets fixed&quot;.

I feel his pain.<p>I run a SaaS with what I think is a pretty generous free tier (PhantomJsCloud dot com), and yeah, I have numerous people from all over the world doing their best to shit all over it:<p>- switching IP addresses every request to circumvent &quot;demo user&quot; rate limiting<p>- creating upwards of 100 fake accounts to get free credits ($0.05&#x2F;day each account)<p>- embedding api calls into their webpages so their users ip address is used for &quot;demo user&quot; credits<p>- API driven credit cards and hijinks around that.<p>- using url shorteners to circumvent blacklisted domains<p>I&#x27;m not sure if it&#x27;s a case of people being incapable of paying credit cards, or just their ethics allow stealing anything that&#x27;s not bolted down?<p>I don&#x27;t mind people signing up with a burner email address, but unfortunately most these abusers are too. I am going to be banning all throw away email accounts soon. And if that doesn&#x27;t work (which it probably wont) I&#x27;m going to have to kill my free tier.

&quot;After 4 and a bit years, by far and away the most popular method with an uptake of more than 90% is versioning via the URL. So that&#x27;s all V3 supports. I don&#x27;t care about the philosophical arguments to the contrary, I care about working software and in this case, the people have well and truly spoken. I don&#x27;t want to have to maintain code and provide support for something people barely use when there&#x27;s a perfectly viable alternative.&quot;<p>Well said !

I wonder if this actually has more to do with trying to sell HIBP, than abuse. He just announced that he was selling HIBP a month or two ago. Presumably, if he can get people to pay a nominal fee now for access to the api, it makes HIBP much more valuable to a potential acquirer. If you can prove people are willing to pay $.01&#x2F;month for a subscription, you can assume(as a potential acquirer) that they would pay $.02&#x2F;month in the future. Much harder to sell something that is completely free because of the risk that monetization completely fails later.<p>In previous blog posts he mentions that he gets 99.x% cache hits on Cloudflare, then also has a cache on his Azure service. He is sponsored by Cloudflare and Microsoft and doesn’t pay for the service unless something has changed since a few months ago. If that is still true, I don’t fully buy that he is actually spending money on Microsoft api hits as the post claims.<p>But, I like Troy and HIBP, so maybe I’m just too much of a skeptic :-)

Very understandable, and also yet another example of why we can&#x27;t have nice services on the Internet. Traffic from bad actors pushes anyone offering an API in a similar direction, or discontinuing it altogether.

I find it ironic that a site dedicated to seeing if you have been compromised has no method of changing your API key if it is compromised.

Who bruteforce scrapes the HIBP API across many IP addresses when they could just download the original leaked username &amp; password databases?<p>Theres even a torrent file of all of them I won&#x27;t link here...

Obvious next concern: Will bad actors just scrape the website? Putting authentication and payments in front of that rather defeats the entire point, and without that you&#x27;re back to rate limiting which is exactly what has just been declared as a failed approach.

Adding authentication so you know who is using your service is reasonable, but not sure why author is complaining about 1.2M requests per day, that is only 14 requests per second on average.

I obtain the SHA1 hashes published by HIBP, load them into a bloom filter and use that for checks. It&#x27;s super fast (constant time lookups) and avoids a network dependency&#x2F;third party service. Here&#x27;s working Go code:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;w8rbt&#x2F;bp" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;w8rbt&#x2F;bp</a><p>Edit: This is solely for password vetting during account creation and password reset (which will remain free&#x2F;no-cost in the API).

Why are bad actors abusing the API? What benefit does it give them to just be able to check for leaked data on e-mail addresses? Especially when it doesn&#x27;t actually provide the leaked data...

Makes sense. I was writing an email to Troy that he can post about how to set custom user agent in Electron and Cordova, as the defaults fail. Guess it won’t be needed.

I don’t use this API myself, so it doesn’t really effect me, but this somehow feels like one of the last purely good things was lost.

Next step, premium access without rate limit?

All the ways congestion controls are implemented on the web lead to a cognitively infantilizing UX, privacy violations, and even &quot;skynet&quot; enabling[1] (hyperbolic but nothing stopping it from happening).<p>&quot;Are you really human? What&#x27;s: 3 x 9&quot;<p>&quot;Can you click on images of buses?, hmmmm don&#x27;t believe you&#x27;re human still, can you click images of stores, hmmm now bikes, hmmm now vehicles, oh I didn&#x27;t mean all vehicles I just meant autos and not motorcycles, here quick copy this token, oh it expired? Too bad. How about you click on images of buses for me...&quot;<p>&quot;Sorry, browsers that protect your privacy and location aren&#x27;t allowed. We only allow users who are willing to deanonymize themselves.&quot;<p>&quot;Well we all know &#x2F;<i>those people</i>&#x2F; who come &#x2F;<i>that place</i>&#x2F; are antisocial users&quot;<p>&quot;Here&#x27;s your IP addresses back. Oh yeah, sorry about blacklisting them&quot;<p>This is a comment about the meta issue Troy faces. If costs are rubegoldberg&#x27;ed to create a facade of &quot;free&quot;, it&#x27;s not actually free (even if user data isn&#x27;t being sold). e.g. A median-wage (10e3USD&#x2F;year) world worker spending 20 seconds solving a captcha has an opportunity cost of 0.03USD[2]. Further more, having to solve congestion issues by implementing requirements to use closed&#x2F;inaccessible (credit cards) poorly programmable, sucks too. Additionally, if a congestion solution is (&quot;I&#x27;d rather low-demand users have free access and high-demand users have expensive access) isn&#x27;t solved by having a flat rate (which a &quot;keep it low cost, mantra is incentivized to keep low&quot;). There is market demand for: If your demands on my service are x, I&#x27;ll give you back the $3.50 but if you consume y resources You have to pay Z.<p>Wouldn&#x27;t it be great if there was a way machines could own money, send it over a layer-2 network, that was open, cheaper than credit cards, faster than L1 bitcoin, and get your money refunded if you didn&#x27;t demand excessive server resources, all while not using game-able &quot;good users come from here&quot; privacy violating algos?<p>This is why micropayment using layer-2 bitcoin on the Lightning Network has significantly-valuable, latent, economic-coordination implications. Micropayments aren&#x27;t about paying for 1&#x2F;1000 of a peanut. They&#x27;re about obviating all the engineering, social, product costs dealt with dealing with Marginal Value, Marginal Cost issues. BAD: The marginal cost of anti-DoS counter measures can always be above the marginal value of deploying them (&quot;listen folks it costs to much to keep this service running, we&#x27;ll have to shut it down&quot;. UNSTOPPABLE: If a price is put on service requests (Services on Demand)[3] the marginal value will never be below the marginal cost (&quot;I can keep this AED locator map service running because I know a spamming request will incur costs above my production costs&quot;).<p>In a future where L2 Bitcoin payment&#x2F;Lightning client infrastructure is prevalent, gone will be the days of annoying, productivity-draining captchas, attribute-discriminating access. Troy could charged a 0.01USD &quot;bond&quot; payment for a request (Which he could give back fast and costlessly to a low-demand user). Meaning the 14e3&#x2F;min requests for 3 hours would have required the high-demand user a payment of $25,000USD[4].\<p>0.01USD refundable payment for honest users.<p>$25,000 USD penalty for high-demand &quot;spammer&quot;<p>[1] <a href="https:&#x2F;&#x2F;i.redd.it&#x2F;pb5nggw3rulz.jpg" rel="nofollow">https:&#x2F;&#x2F;i.redd.it&#x2F;pb5nggw3rulz.jpg</a><p>[2] 20&#x2F;60&#x2F;60 * 5<p>[3] <a href="https:&#x2F;&#x2F;medium.com&#x2F;@soddiraju&#x2F;the-not-so-micro-potential-for-micropayments-c581d3090d47" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;@soddiraju&#x2F;the-not-so-micro-potential-for...</a><p>[4] 14e3 * .01 * 60 * 3

Looks like AgileBits is getting scared.

&gt; One thing I want to be crystal clear about here is that the $3.50 fee is no way an attempt to monetise something I always wanted to provide for free.<p>If this was true, then all revenue made from those 3.5 would get donated to a worthy cause, not donated into Troy&#x27;s own pocket. I am not saying that he shouldn&#x27;t monetise it, but please let&#x27;s be honest about it.<p>&gt; The point is that the $3.50 number is pretty much bang on the mark for the cost of providing the service.<p>The cost of the service is the actual final bill which has to be paid for this service, taken into account all the free credits Troy gets as a Microsoft Regional Director, free credits for hugely advertising Azure at every occasion, free credits from Cloudflare for constantly advertising for them, the tax which he doesn&#x27;t pay as a registered company, etc. divided by the actual amount of customers who use the API. This cost could be much more, or significantly less than $3.5. If Troy wanted to be more transparent then he could, but given that he is very secretive and very selective about the bits of information he shares around all of this, my guess is the cost is much less than what Tory makes everyone believe.<p>Overall I don&#x27;t think it is ethical to monetise a service which is built on stolen data. There is a good chance that Troy holds data on me, my parents, my sister, wife and lots of other people who&#x27;s data have been breached over the years and have no idea who Troy is, what the heck HIBP is or even know how to contest or request from Troy to remove their data from his service, yet it&#x27;s being used for monetisation.<p>There was never a consent from anyone to hord our data. It&#x27;s stolen, and only because stolen data is easily discoverable on the internet doesn&#x27;t make it alright to actively search, store and monetise that data. It&#x27;s still stolen and should get deleted from everywhere.