After a few months of testing, Mozilla has launched its free Firefox Monitor service that notifies users when their credentials are stolen as part of a data breach. The website, which is essentially an external interface to Troy Hunt's Have I Been Pwned (HIBP) database, also allows users to sign up for notifications in case their email addresses are found in future breaches.
With more and more databases containing stolen user credentials, from email addresses to credit card numbers, now being illegally hosted on the internet, monitoring services like Mozilla's one make a lot of sense. Although re-using passwords on different websites is very bad practice, it still happens often, and having a password breached once could pose a threat to other accounts protected that feature the same one.
To make sure that email addresses entered by the Monitor's users are not shared even with its partner HIBP, Mozilla uses hash range query API endpoints. Simply speaking, it hashes the user's email and sends a few first characters of the hash as a query. HIBP then finds all entries that start with these characters and replies with a series of hash suffixes of the breached accounts, which are then checked on Mozilla's side. This way, even hashed email addresses are not shared with any third parties.
For Firefox users, the partnership between Mozilla and HIBP also brings notifications when they visit websites that have suffered a breach in the past. In addition to that, the company recently announced new anti-tracking features that are already available in the Nightly version of its browser.
Mozilla is not the only company that's partnered with HIBP to notify users about breaches. The password manager 1Password can also check its users' credentials against the database; there are also DIY solutions for other password managers.