Mozilla plans to add warning notifications to the Firefox browser when users visit websites that were hacked in the past.
Hacked web services and sites are a common occurrence on the Internet, and while hackers may have different goals when it comes to hacks, one lucrative target is a site's user database.
The Yahoo hack for instance put 3 billion user records in the hand of the hackers. In 2017, hacks managed to dump Equifax's database with 143 million customer records, and an Uber database with 57 million records.
While some companies have laws in place that require that companies disclose hacks, others don't. The reaction to hacks by companies is not identical, as there is no guideline to follow.
Users should be notified about breaches so that they can react to the news. Services like Have I been pwned have been created to make things easier for users. They maintain a database of hacked usernames / email addresses, and return to users whether these were leaked in hacks in the past.
These sites rely on getting access to the hacked data to add the information to the database.
Mozilla plans to add support for the Have I Been pwned database to Firefox.
The main idea is to inform Firefox users of hacked sites when they visit these sites. The feature is currently in prototype stage and not yet implemented in Firefox.
The current iteration displays a prompt under the Firefox address bar when a previously hacked site is accessed in Firefox.
The prompt informs you that the site was hacked in the past, and provides an option to enter an email address or user name to check whether user data fell into the hands of the hackers.
You can follow development of the add-on on GitHub.
It is a good idea to add hack alerts to the Firefox web browser. While part of Firefox's userbase will get the information directly through affected email accounts or by reading news sites, others may not, and that is the target audience for the feature.
Mozilla should consider adding options to disable the feature entirely; while it appears that the alert is shown only once, it is of little benefit if an alert is displayed if the hack happened years ago.
The effectiveness of the feature depends entirely on the Have I Been Pwned database. The database depends on user dumps becoming available publicly, or being forwarded to the service privately.
It should be clear that this won't inform you about 100% of all data breaches. It would make sense for Mozilla to maintain a list of hacked sites even if the user database has not been made available yet. It is better to inform users about the hack as they may then react to it quickly.
All in all, this is an interesting feature if implemented correctly.
Now You: What's your take on this?
If you like our content, and would like to help, please consider making a contribution: