Involved in a data breach? Firefox to test alerts in the browser

When a company suffers a data breach, there are currently a limited number of ways users get to hear about it.

Usually a company will tell its customers via email.  At this point, the media often makes a fuss too, which is how bad news is spread to the wider world.

A less obvious but increasingly influential route is through Troy Hunt’s Have I Been Pwned? (HIBP), a breach reporting site we’ve covered a bit recently.

HIBP is influencing breach reporting in two ways. First, because it often hears about breaches before companies do, said companies then hear about problems earlier (although that can still be years on from an incident).

Second, users hear about breaches earlier, both from companies told about them by HIBP but also, if they are registered users, direct via email or by manually checking on the site itself.

For instance, HIBP was behind the discovery of the Disqus breach in October as well as this week’s Imgur incident, to pick only two examples.

Now, Mozilla has had a radical idea – why not display HIBP’s alerts about breached sites inside the Firefox browser itself?

Browsers already warn users about phishing sites, malware downloads and insecure digital certificates, so extending this to data breaches sounds logical.

In a GitHub posting, Mozilla engineer Nihanth Subramanya has posted the code for an experimental add-on that developers can use to test this.

How it might eventually work is unclear, but one option is to warn everyone visiting a breached domain as a prompt to change passwords if they are registered users.

It might also allow users to register for alerts should HIBP detect that their email address has been discovered inside a public cache of breached data.

The innovation is that it could inform people about breaches more quickly than either the affected company or HIBP could on their own.

There are wrinkles of course.

The biggest of these is what breached companies will think about it. Given the number of breaches now being disclosed – especially ones a company didn’t know about until someone noticed data on the dark web – we might be beyond worrying about that, but it’s an issue all the same.

There’s also an issue over privacy (where are email addresses stored if they are supplied?), and whether HIBP alerting is activated automatically or has to be turned on.

HIBP’s Troy Hunt recently told a news site:

We’re looking at a few different models for how this might work, the main takeaway at present is that there’s an intent to surface data about one’s exposure directly within the browser.

Firefox’s embrace of HIBP shouldn’t obscure the unsettling paradox that a site run by one man, with a few helpers and limited resources, seems able to uncover multiple large data breaches more effectively than some of the world’s biggest companies.

It could be that many of them don’t look hard enough, but we should never lose sight of how silly this is. Telling people about breaches is all well and good but the industry must aspire to stop them happening in the first place.