Once the service goes live in the coming weeks, Firefox users running version 62 and later will see an icon appear in the address bar when they visit a known breached website.
Clicking on this will reveal details of the specific breach supplied through Firefox’s integration with the Have I Been Pwned (HIBP) website, which Naked Security covered in September.
This will read something like:
More than x number of email accounts from example.domain were compromised in 2018. Check Firefox Monitor to see if yours is at risk.
Notice the alert won’t tell Firefox users that their personal account has been breached, only that they should check for themselves, offering them a link to do this.
The first time Firefox users see a breach alert for any website, it will relate to those added to the HIBP database in the preceding 12 months (the actual breach may have happened years earlier of course).
From there on, to avoid alert fatigue, the cut-off will be websites added within the preceding two months.
It will also be possible to turn alerts off completely by hitting ‘never show Firefox Monitor alerts’ on the notification drop-down box.
One giant leap for breach notification
Firefox has recently become a bit of a security and privacy control centre, incorporating more anti-tracking and security controls than any other popular rival browser.
In theory, breach alerts could become redundant because affected users would already know about the issue after being asked by a compromised site to reset their passwords. However, not all breaches lead to universal password reset with some websites limiting this to a subset of users it thinks have been affected.
With Firefox Monitor, all Firefox users visiting that website would see an alert for a breach they may and may not already know about.
On balance, this is a good thing. Resetting passwords on a breached website is a good precaution to take, just in case its extent has been underestimated.
It’s been asserted that alerts might frighten users away from a website, but the disclosure may serve to improve security practices among both site owners and users.
Arguably, the problem with browser breach alerts is that they give people general warnings about websites rather than more useful ones relating to their own accounts.
Cagily, Mozilla hints that personalised breach alerts might be on the list for future development:
Over the longer term, we want to work with our users, partners, and all service operators to develop a more sophisticated alert policy. We will base such a policy on stronger signals of individual user risk, and website mitigations.
It’s a complex undertaking to aim for on several levels (not least privacy) but one Mozilla seems determined to press on with.