As part of its efforts to make Firefox users feel more secure while browsing the web, Mozilla is launching Firefox Monitor to let users know if they’ve been hacked. By integrating Firefox Monitor with web service Have I Been Pwned (HIBP), users of Mozilla’s browser can quickly check to see if they’ve been hacked by entering their email address. Mozilla is trialing the Firefox Monitor service right now and will invite 250,000 of the more than 500 million Firefox users to help test the service next week. After the testing period, Mozilla expects the service to roll out to all Firefox users.
“We decided to address a growing need for account security by developing Firefox Monitor, a proposed security tool that is designed for everyone, but offers additional features for Firefox users,” Mozilla wrote in a blog post detailing the service. “Visitors to the Firefox Monitor website will be able to check (by entering an email address) to see if their accounts were included in known data breaches, with details on sites and other sources of breaches and the types of personal data exposed in each breach.”
The service monitors the web to see if your email is part of a data dump, and if it is, Firefox Monitor will send an alert to your inbox. To keep your email address secure when you’re checking Firefox Monitor to see if you’re a victim of a data breach, Mozilla claims that your information is anonymized and that the service never sends your full email address to a third party outside of Mozilla. Email lookups are performed using hashing prefixes to keep your information secure.
“When searching HIBP for a password, the client SHA-1 hashes it then takes the first five characters and sends this to the API,” HIBP creator and security researcher Troy Hunt wrote on his blog. “In response, a collection of hashes is returned that match that prefix (477 on average). By looking at the hash prefix sent to the service, I have no idea what the password is. It could be any one of those 477 or it could be something totally different, I don’t know. Of course, I could always speculate based on the prevalence of each password but it would never be anything more than that — speculation.”
In addition to alerting users if their data is breached, Mozilla said that it is also evaluating a service to notify you if your personal data was also compromised. Part of Mozilla’s security strategy is to integrate HIBP’s service with Firefox Lockbox, a password manager that automatically fills in usernames and passwords for websites that you visit on Firefox. In the future, Firefox Monitor will be able to verify your stored Lockbox logins against the HIBP database to give you a more detailed look at what services, passwords, usernames, and accounts may have been compromised in a data breach or attack.
Mozilla advises users to download the latest Firefox Quantum browser to prepare for the launch of Firefox Monitor.
In addition to partnering with Mozilla for Firefox Monitor, Hunt is also working with password manager 1Password to allow HIBP lookups from directly within 1Password’s Watchtower feature.
