CIO

Firefox Monitor provides password breach alerts, Would it convince you to set up a Firefox Account

  • Liam Tung (CSO Online)
  • 26 September, 2018 07:00

Firefox maker Mozilla has launched Firefox Monitor, a new website that checks if credentials were compromised in a breach. 

The company has been testing the service with users since June, using breach information collected by security expert Troy Hunt’s HaveIBeenPwned (HIBP) website. 

Users can type their email address in the site, which like Hunt’s site, returns a list of breaches the credentials are known to have been part of. The results display the date of the breach, the affected product, the number of accounts compromised, and a list of the data that was compromised. 

People can also sign up to Firefox Monitor in order to receive notifications in the event of a future breach. Mozilla intends to check in periodically with Hunt’s library of compromised credentials, according to Mozilla. The page also includes several links to download Firefox. 

The new service comes as major browser makers work to make the web less dependent on passwords via the WebAuthn standard. In future users should be able to sign-in to website without using a password. 

While Firefox Monitor pretty much does the same thing as HIBP, Hunt welcomed Mozilla’s effort since it could broaden his site’s reach to people who don't know his site or what 'pwned' means. Firefox is also a more recognized brand.

Mozilla hasn’t said exactly how it plans to integrate Monitor with the Firefox browser, however it may be part of its plan to boost the number of Firefox users who set up a Firefox Account -- Mozilla's identity system for syncing Firefox across devices and logging into Firefox add-ons. 

A potential conflict here is that Firefox Accounts could be breached too if, say, hackers discovered one of the 15 vulnerabilities that a third-party security firm found during a 2017 audit of Mozilla's authentication system.   

Mozilla is however reportedly planning to extend its HIBP partnership to a new password manager it's building called Firefox Lockbox. Monitor would then check credentials stored in the password manager against HIPB’s records. Firefox Lockbox also requires a Firefox Account.

The idea for Firefox Monitor came from Mozilla’s ‘Shield Studies’ A/B tests conducted within Firefox, which it uses to size-up what features it could build into the browser. 

A previous Shield user study focusing on Firefox Accounts revealed people valued the idea of receiving breach notifications, so much so they were much more likely to accept Mozilla's request to create a Firefox Account, Matt Grimes from Firefox's strategy and insights team revealed today in a Medium post. 

Mozilla asked users about multiple profile use, password management, the ability to lock Firefox, syncing, sharing, and more. 

"The real goal was to get a broad sense of what we could do with accounts that would be meaningful to users before we started building it," wrote Grimes. 

He also distanced himself from the Firefox that most users see since his work is just "throw away work, not the elegant and polished work you see released in Firefox".

Nonetheless, the idea of that Firefox "notify me of potential password compromises," resonated extremely well with users, which prompted him to reach out to Hunt and kick-off the HIPB-Firefox Monitor tie-up.

The non-profit then tested Firefox Account sign-up rates with the message below, which asked: "Want to be notified immediately if one of your saved passwords is stolen? Sign up for a Firefox Account for instant security updates". 

Mozilla's A/B tests reveal users were more likely to sign-up to a Firefox Account if they received breach notifications.
Mozilla's A/B tests reveal users were more likely to sign-up to a Firefox Account if they received breach notifications.

"The attempted sign-up rate was higher than we’d seen for any other Accounts offer to date," he continued. 

Since the service didn’t actually exist Mozilla ended the experiment and notified users it was just that. 

His post doesn't confirm exactly which direction Mozilla intends to take Firefox Monitor, though it does spell out a motivation and he notes that Firefox users should expect to "see Monitor growing and showing up in more places in the Firefox planetary system soon" -- that planetary system being Mozilla's internal lingo for new features and products built around the Firefox brand.

For those concerned about privacy, Mozilla won’t be sharing the full email address entered on Monitor with Hunt’s service, and instead sends a hash of the submitted email address and the first six characters. It then checks whether the hash of the email address matches any of the several billion email address hashes on HaveIBeenPwned. 

"We want to be part of the solution so we protect your private data from future breaches by not putting you at risk," Mozilla said. "This means, we don’t collect or display sensitive information and certain sensitive sites are omitted from the public results you see on our site. To enable Firefox Monitor for your e-mail address it has to be verified by you. All sensitive breach alerts are sent directly to your inbox with the email information anonymized."