{"id":2414,"date":"2018-11-14T17:49:24","date_gmt":"2018-11-15T01:49:24","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2414"},"modified":"2018-11-14T17:49:24","modified_gmt":"2018-11-15T01:49:24","slug":"when-does-firefox-alert-for-breached-sites","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/","title":{"rendered":"When does Firefox alert for breached sites?"},"content":{"rendered":"<h2><b>Mozilla&#8217;s Position on Data Breaches<\/b><\/h2>\n<p>Data breaches are common for online services. Humans make mistakes, and humans make the Internet. Some online services discover, mitigate, and disclose breaches quickly. Others go undetected for years. Recent breaches include \u201cfresh\u201d data, which means victims have less time to change their credentials before they are in the hands of attackers. While old breaches have had more time to make their way into scripted<a href=\"https:\/\/www.owasp.org\/index.php\/Credential_stuffing\"> credential stuffing<\/a> attacks. <b>All breaches are dangerous to users<\/b>.<\/p>\n<p>As stated in the<a href=\"https:\/\/www.mozilla.org\/en-US\/about\/manifesto\/#principle-04\"> Mozilla Manifesto<\/a>: \u201cIndividuals\u2019 security and privacy on the internet are fundamental and must not be treated as optional.\u201d Most people simply don\u2019t know that a data breach has affected them. Which makes it difficult to take the first step to secure their online accounts because they don\u2019t know they\u2019re insecure in the first place. This is why we launched<a href=\"https:\/\/monitor.firefox.com\/\"> Firefox Monitor<\/a>.<\/p>\n<h2><b>Informing Firefox Users<\/b><\/h2>\n<p>Today we are continuing to improve our Firefox Monitor service. To help users who might have otherwise missed breach news or email alerts, we are integrating alerts into Firefox that will notify users when they visit a site that has been breached in the past. This feature integrates notifications into the user\u2019s browsing experience.<\/p>\n<p>To power this feature, we use a list of breached sites provided by our partner,<a href=\"https:\/\/haveibeenpwned.com\/\"> Have I Been Pwned<\/a> (HIBP). <b>Neither HIBP nor Mozilla can confirm that a user has changed their password after a breach, or whether they have reused a breached password elsewhere.<\/b> So we do not know whether an individual user is still at risk, and cannot trigger user-specific alerts.<\/p>\n<p>For our initial launch we\u2019ve developed a simple, straightforward methodology:<\/p>\n<ul>\n<li>If the user has never seen a breach alert before, Firefox shows an alert when they visit any breached site <b>added to HIBP within the last <\/b><b>12 months<\/b>.<\/li>\n<li>After the user has seen their first alert, Firefox only shows an alert when they visit a breached site <b>added to HIBP within the last <\/b><b>2 months<\/b>.<\/li>\n<\/ul>\n<p>We believe this 12-month and 2-month policy are reasonable timeframes to alert users to both the password-reuse and unchanged-password risks. \u00a0A longer alert timeframe would help us ensure we make even more users aware of the password-reuse risk. However, we don\u2019t want to alarm users or to create noise by triggering alerts for sites that have long since taken significant steps to protect their users. That noise could decrease the value and usability of an important security feature.<\/p>\n<h2><b>Towards a more Sophisticated Approach<\/b><\/h2>\n<p>This is an interim approach to bring attention, awareness, and information to our users now, and to start getting their feedback. When we launched our Monitor service, we received tremendous feedback from our early users that we\u2019re using to improve our efforts to directly address users\u2019 top concerns for their online service accounts. For service operators, our partner, Troy Hunt, already has some great articles on<a href=\"https:\/\/www.troyhunt.com\/fixing-data-breaches-part-1-education\/\"> how to prevent data breaches from happening<\/a>, and<a href=\"https:\/\/www.troyhunt.com\/data-breach-disclosure-101-how-to-succeed-after-youve-failed\/\"> how to quickly and effectively disclose and recover from them<\/a>. Over the longer term, we want to work with our users, partners, and all service operators to develop a more sophisticated alert policy. We will base such a policy on stronger signals of individual user risk, and website mitigations.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mozilla&#8217;s Position on Data Breaches Data breaches are common for online services. Humans make mistakes, and humans make the Internet. Some online services discover, mitigate, and disclose breaches quickly. Others &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/\">Read more<\/a><\/p>\n","protected":false},"author":285,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,69],"tags":[],"coauthors":[127141],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>When does Firefox alert for breached sites? - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Luke Crouch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/\",\"name\":\"When does Firefox alert for breached sites? - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2018-11-15T01:49:24+00:00\",\"dateModified\":\"2018-11-15T01:49:24+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"When does Firefox alert for breached sites?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954\",\"name\":\"Luke Crouch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/1b48bfd9be84cb33b2259056825f5338\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g\",\"caption\":\"Luke Crouch\"},\"description\":\"Privacy Engineer\",\"sameAs\":[\"https:\/\/groovecoder.com\",\"https:\/\/x.com\/groovecoder\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"When does Firefox alert for breached sites? - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/","twitter_misc":{"Written by":"Luke Crouch","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/","url":"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/","name":"When does Firefox alert for breached sites? - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2018-11-15T01:49:24+00:00","dateModified":"2018-11-15T01:49:24+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2018\/11\/14\/when-does-firefox-alert-for-breached-sites\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"When does Firefox alert for breached sites?"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/491692acd36de650165e25dd53c99954","name":"Luke Crouch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/1b48bfd9be84cb33b2259056825f5338","url":"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ac76daf656edb21915fd4611edae2b2e?s=96&d=identicon&r=g","caption":"Luke Crouch"},"description":"Privacy Engineer","sameAs":["https:\/\/groovecoder.com","https:\/\/x.com\/groovecoder"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2414"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/285"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2414"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2414\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2414"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}