Breach Alerts Firefox warning on LastFM

Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches.

The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents.

Code for this feature currently available as an add-on

Work on this project has only recently started. The code to show these warnings is not even in the Firefox codebase but managed separately as an add-on.

"[Breach Alerts] is an addon that I'm going to be using for prototyping an upcoming feature in Firefox that notifies users when their credentials have possibly been involved in a data breach," said Mozilla engineer Nihanth Subramanya in the add-on's description.

The code of this add-on is available on GitHub, and anyone can compile it and import it into Firefox. Only Firefox Developer Edition is currently supported.

The add-on is in early stages of development, and the warnings are rough on the edges. Currently, they trigger when the user visits a site included in Have I Been Pwned's list of public data breaches.

The alert also includes an input field. In the add-ons current version this field doesn't do anything, but we presume it's there to allow users to search and see if their data was exposed during that site's security breach.

Breach Alerts Firefox add-on warning on LinkedIn

This new notification system will surely ruffle features with some of the breached companies. It is one thing for Have I Been Pwned to offer this kind of details on its website, buried in a corner of the Internet, but it's another thing to have news of your past breach thrust in all your site visitors' faces, especially since some of these breaches have occurred years before.

Parties working to find the best way to present notifications

"I’ve been working with Mozilla on this," Troy Hunt, the Australian security researcher behind Have I Been Pwned told Bleeping Computer via email today.

"We’re looking at a few different models for how this might work, the main takeaway at present is that there’s an intent to surface data about one’s exposure directly within the browser," Hunt added.

One thing's for sure is that Mozilla needs to pay close attention to the language and manner it shows these notifications to users. Putting less focus on the security incident and more emphasis on encouraging users to change credentials for breached accounts is most likely the best way to go about it.

Subramanya was not available for additional comment on the Breach Alert add-on.