Firefox Notifies Users of Compromised Accounts

Mozilla this week launched a new service that helps users check if their email addresses are part of publicly known data breaches.

Dubbed Firefox Monitor and launched in partnership with Troy Hunt and Cloudflare, the service leverages the information available through Hunt’s Have I Been Pwned (HIBP) website to keep track of compromised accounts. Mozilla has tested the service over the summer and is now making it generally available.

Using Firefox Monitor is as easy as it can be: one simply needs to access and type in their email address. The service then checks the address against the HIBP database and informs the user whether their email address and/or personal info was involved in a publicly known past data breach.

Should a compromise be detected, users are advised to immediately change their password for the email address and for all other accounts where they might have used the same password.

Firefox Monitor also allows users to sign up using their email address and receive notifications about data breaches when they become public. The service will automatically scan the email address against those breaches and a private message will be sent to the user if a compromise is found.

Mozilla also took precautions to ensure that the sensitive information isn’t exposed when a user engages the Firefox Monitor service.

In June, the organization revealed that anonymized hash range query API endpoints from HIBP are used for the service, instead of downloading the entire set of available data.

“Hash range queries add k-Anonymity to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data,” Mozilla said at the time.

Firefox Monitor doesn’t store the range queries or the received results, and only caches those results in an encrypted client session. Thus, no plaintext or hashed sensitive user data is disclosed and, with HIBP not disclosing its entire set of hashes either, user’s information remains secure.

“If you’re wondering about how we’re handling your email address, rest assured we will protect your email address when it’s scanned. This is all in keeping with our principles at Mozilla, where we’re always looking for features that will protect people’s privacy and give them greater control when they’re online,” the organization notes.

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Spring 2018 Password Attacks

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: