Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Firefox Notifies Users of Compromised Accounts

Mozilla this week launched a new service that helps users check if their email addresses are part of publicly known data breaches.

Mozilla this week launched a new service that helps users check if their email addresses are part of publicly known data breaches.

Dubbed Firefox Monitor and launched in partnership with Troy Hunt and Cloudflare, the service leverages the information available through Hunt’s Have I Been Pwned (HIBP) website to keep track of compromised accounts. Mozilla has tested the service over the summer and is now making it generally available.

Using Firefox Monitor is as easy as it can be: one simply needs to access monitor.firefox.com and type in their email address. The service then checks the address against the HIBP database and informs the user whether their email address and/or personal info was involved in a publicly known past data breach.

Should a compromise be detected, users are advised to immediately change their password for the email address and for all other accounts where they might have used the same password.

Firefox Monitor also allows users to sign up using their email address and receive notifications about data breaches when they become public. The service will automatically scan the email address against those breaches and a private message will be sent to the user if a compromise is found.

Mozilla also took precautions to ensure that the sensitive information isn’t exposed when a user engages the Firefox Monitor service.

In June, the organization revealed that anonymized hash range query API endpoints from HIBP are used for the service, instead of downloading the entire set of available data.

“Hash range queries add k-Anonymity to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data,” Mozilla said at the time.

Advertisement. Scroll to continue reading.

Firefox Monitor doesn’t store the range queries or the received results, and only caches those results in an encrypted client session. Thus, no plaintext or hashed sensitive user data is disclosed and, with HIBP not disclosing its entire set of hashes either, user’s information remains secure.

“If you’re wondering about how we’re handling your email address, rest assured we will protect your email address when it’s scanned. This is all in keeping with our principles at Mozilla, where we’re always looking for features that will protect people’s privacy and give them greater control when they’re online,” the organization notes.

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Spring 2018 Password Attacks

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.