Mozilla to test taking Have I Been Pwned to the people

New site Firefox Monitor to act as a passthrough to service operated by security researcher Troy Hunt.

Mozilla has announced that in the coming weeks it will launch a site called Firefox Monitor that will return results from the Have I Been Pwned (HIBP) service operated by Australian security researcher Troy Hunt.

Firefox Monitor will initially be opened to around 250,000 users mostly in the United States, with a release schedule to follow once testing is complete.

"This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream," HIBP founder Troy Hunt said in a blog post describing the partnership.

Rather than passing the entire plaintext searched email address from Firefox Monitor to HIBP, the partnership will use the k-Anonymity technique from Cloudflare, which sends the first six characters of a SHA-1 hash to HIBP, and is returned with the hashes that match the prefix. Hunt said on average 185 hashes are returned.

Hunt added that he does not see making the API used for this service available publicly, and that he was working on a way to port HIBP's subscription feature that alerts users when they are caught up in a new breach.

At the same time, Hunt said 1Password was using the same techniques to allow its users to search HIBP from 1Password's web version.

In March, Hunt announced the cybersecurity centres of the UK and Australia were using HIBP to monitor all government domains for departmental email addresses in breaches.

"The UK government can query any .gov.uk domain on demand and the Aus government can query any .gov.au domain on demand. They can both also query a small handful of whitelisted domains on different TLDs, for example, The Commonwealth Scientific and Industrial Research Organisation (CSIRO) runs on csiro.au so that domain is whitelisted for the ACSC in addition to the .gov.au TLD," Hunt wrote at the time.

"The only access they have is to domains that their people working in those departments could query anyway via the existing free domain search model, we're just consolidating it all into a unified service."

Last month, Mozilla released Firefox 60, which it claimed was the first browser to support the Web Authentication API that currently allows YubiKeys to be used instead of passwords. Mozilla hopes it will support authentication via mobile phones and biometrics.

Related Coverage

Firefox makers eye new 'voice browser': They've even built an Alexa prototype

Mozilla, the maker of Firefox, wants to build a voice-powered app that works across multiple platforms.

Firefox Accounts gets 2FA security: You can use Google Authenticator one-time codes

Prefer to use Google Authenticator to log in to Firefox Accounts, or get push notifications on Firefox's mobile app?

Firefox 60 lands: It's world's first browser to give you password-free logins, says Mozilla

Firefox becomes first browser to support the Web Authentication API, taking the world closer to no-password logins.

Firefox 60 will show 'sponsored stories' but you can disable them, says Mozilla

Firefox users will soon start to see sponsored stories in new tabs, but Mozilla says it will respect users' privacy.

How to connect Firefox Quantum to your Firefox account (TechRepublic)

Firefox Quantum has come a long way. Combine the vast improvements with the ability to sync your browser information, and you have a seriously powerful experience. Jack Wallen shows you how.