Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Firefox Notifies Users of Compromised Accounts

Mozilla this week launched a new service that helps users check if their email addresses are part of publicly known data breaches.

Mozilla this week launched a new service that helps users check if their email addresses are part of publicly known data breaches.

Dubbed Firefox Monitor and launched in partnership with Troy Hunt and Cloudflare, the service leverages the information available through Hunt’s Have I Been Pwned (HIBP) website to keep track of compromised accounts. Mozilla has tested the service over the summer and is now making it generally available.

Using Firefox Monitor is as easy as it can be: one simply needs to access and type in their email address. The service then checks the address against the HIBP database and informs the user whether their email address and/or personal info was involved in a publicly known past data breach.

Should a compromise be detected, users are advised to immediately change their password for the email address and for all other accounts where they might have used the same password.

Firefox Monitor also allows users to sign up using their email address and receive notifications about data breaches when they become public. The service will automatically scan the email address against those breaches and a private message will be sent to the user if a compromise is found.

Mozilla also took precautions to ensure that the sensitive information isn’t exposed when a user engages the Firefox Monitor service.

In June, the organization revealed that anonymized hash range query API endpoints from HIBP are used for the service, instead of downloading the entire set of available data.

“Hash range queries add k-Anonymity to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data,” Mozilla said at the time.

Firefox Monitor doesn’t store the range queries or the received results, and only caches those results in an encrypted client session. Thus, no plaintext or hashed sensitive user data is disclosed and, with HIBP not disclosing its entire set of hashes either, user’s information remains secure.

“If you’re wondering about how we’re handling your email address, rest assured we will protect your email address when it’s scanned. This is all in keeping with our principles at Mozilla, where we’re always looking for features that will protect people’s privacy and give them greater control when they’re online,” the organization notes.

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

Related: Spring 2018 Password Attacks


Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...