Firefox to notify users when they’re on a recently breached site

  • Liam Tung (CSO Online)
  • 16 November, 2018 04:58
Firefox notification on sites added to Have I Been Pwned in the past 12 months
Firefox notification on sites added to Have I Been Pwned in the past 12 months

Firefox-maker Mozilla is expanding its Firefox Monitor data breach alert service to the Firefox browser on desktop. 

Mozilla launched the Firefox Monitor website in September, allowing people to type in an email address and check whether their password was in any of the breaches logged by security expert Troy Hunt’s website, Have I Been Pwned (HIBP).

Firefox Monitor duplicated a lot of HIBP, but Mozilla’s service could use the better known Firefox name to broaden the reach of Hunt’s service to average computer users, and educate more people about the dangers of password re-use.

Still, users had to visit the Firefox Monitor site and provide an email address if they wanted to be notified the next time their details were in a breach catalogued by Hunt.

In the coming weeks though Firefox Monitor will begin to notify all Firefox desktop users when they visit a site that’s been breach in the past. 

The alert offers a brief overview of the breach and asks the user whether they have an account on the affected site. Users can then click on “Check Firefox Monitor” to open the site and see if they’re among those known to be affected.    

Users can opt out of the alerts altogether by choosing the “never show Firefox Monitor alerts” in the dropdown menu on the notification. 

HIBP’s catalogue includes breaches dating back to 2006, but thankfully Firefox won't be displaying alerts for all of these sites, which currently exceed 300. 

Firefox users who’ve never seen breach alert before will see an alert for any site that’s been added to HIPB in the last year. After users have seem one alert, they’ll only see a notification if the affected site has been added to HIPB within the past two months.

Extending beyond 12 months would help inform more users about the risk of password reuse, however Mozilla wanted to avoid “noise” by issuing alerts on sites that have long since remediated. 

“That noise could decrease the value and usability of an important security feature,” explained Luke Crouch, a privacy engineer at Mozilla. 

This also means Firefox won’t be alerting users when they visit Adobe and LinkedIn, which experienced massive breaches prior to 2014. However, because the rule is built around the date Hunt adds compromised credentials to HIBP, it can mean an old breach will trigger notifications if it was added to HIBP in the last year. 

Crouch described the Firefox notifications as an “interim approach” that would help bring awareness to its users, and pointed to recent articles by Hunt on how websites can avoid being breached and how to disclose a breach if one has happened. In future Mozilla hopes to develop a more “sophisticated” alert system based on individual user risk and website mitigations.