Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Firefox Alerts Users When Visiting Breached Sites

Mozilla has added a new feature to Firefox to alert users when they visit a website that has been part of a data breach in the past. 

Mozilla has added a new feature to Firefox to alert users when they visit a website that has been part of a data breach in the past. 

Earlier this year, the Internet organization launched Firefox Monitor, a service to inform users if their accounts have been part of data breaches. Enjoying support for Cloudflare, the service uses data from Troy Hunt’s Have I Been Pwned (HIBP) website to keep track of compromised accounts.

The newly announced Firefox alert is the latest improvement Mozilla brings to Firefox Monitor and takes advantage of the very same HIBP data to warn users of breached websites. 

“To help users who might have otherwise missed breach news or email alerts, we are integrating alerts into Firefox that will notify users when they visit a site that has been breached in the past. This feature integrates notifications into the user’s browsing experience,” Mozilla’s Luke Crouch explains.

What users should keep in mind when receiving these alerts, however, is the fact that neither HIBP nor Mozilla know if they changed their passwords after a breach or if they reused the same passwords on another account. 

“So we do not know whether an individual user is still at risk, and cannot trigger user-specific alerts,” Crouch points out. 

Initially, Firefox will display the alert if the user has never seen such a warning before, but only for breached sites that have been added to HIBP within the last 12 months. After that, the alert will be displayed to the user if they visit a breached site that has been added to HIBP within the last 2 months.

The 12-month and 2-month policy, Mozilla believes, involves reasonable timeframes to inform users on password-reuse and unchanged-password risks. 

“A longer alert timeframe would help us ensure we make even more users aware of the password-reuse risk. However, we don’t want to alarm users or to create noise by triggering alerts for sites that have long since taken significant steps to protect their users. That noise could decrease the value and usability of an important security feature,” Crouch says. 

The initial approach is meant to bring attention, awareness, and information to users, as well as to begin receiving feedback from them. 

Moving forth, however, Mozilla plans on implementing a more sophisticated alert policy, and says it would work together with users, partners, and service operators for that. Such a policy would be based on “stronger signals of individual user risk, and website mitigations.”

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Firefox Notifies Users of Compromised Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.