The short happy life of the Breached extension

2019-05-27 by Adam Pritchard

In October 2017, Troy Hunt of Have I Been Pwned held a contest inviting people to do something cool with the HIBP API. I decided a) that I would kind of like the special edition ThinkPad he was giving away, and b) that I could probably whip something up pretty quickly.

I decided to create a browser extension that would simply pull HIBP breach information and show a browser notification – with the ability to view extra info – when the user visited a site that had been breached. And so was born the Breached extension. (Spoiler: I didn’t win.)

For non-technical readers: A “breach”, in this context, is when a hacker obtains the user database of a website. A breach generally includes email addresses, passwords (in some form), maybe credit cards, and other stuff you don’t want a hacker to have. So “breach information” about a website tells you that a breach occurred, when it happened, what data was stolen, and how much of it. Which is the kind of thing you should know about before using that website!

A month after I released the extension, someone created an issue pointing out that Mozilla “started working on integrating haveibeenpwned.com warnings into Firefox”. (As I promised there I did (nominally) reach out, but it didn’t go anywhere.) A year later that project turned into Firefox Monitor.

So, Breached is basically redundant on Firefox. In a sense I’m bummed, but I’m more flattered – it was obviously a pretty okay idea!

Monitor has a different notification policy: They only show alerts for sites that have been breached within the last two months. (If I’m reading that right. I think the 12-month part is a one-off and is likely just to increase the number of people that will ever see a notification). Breached’s policy is… just, like, show them all. Because I didn’t think about that while coding it. I think Monitor’s time-limit is better, since many sites will have sorted themselves out and don’t deserve a black mark for all time, so I might also add a time limit. (I don’t find the notifications noisy, but maybe I just don’t visit enough shady sites.)

In case you’re wondering what Monitor notifications look like, here’s one:

Firefox Monitor breach notification

And here is Breached’s notification:

Breached's breach notification

And the additional-detail popup:

Breached's additional detail popup

Well, at least Breached is still relevant on Chrome! For now…