After a few months of user testing, Mozilla has launched Firefox Monitor, a free online service that allows users to check whether their email address was involved in a publicly known data breach and to sign up to get notified if the account appears in new data breaches.

Firefox Monitor works by checking the submitted email address(es) against the database provided by Troy Hunt’s Have I Been Pwned service.

Protecting users’ privacy

For those worried about sharing their email address with that service, the good news is that Mozilla has your back: it worked with HIBP and Cloudflare to create a method of anonymized data sharing for Firefox Monitor.

“The new Firefox Monitor service will use anonymized range query API endpoints from Have I Been Pwned (HIBP). This new Firefox feature allows users to check for compromised online accounts while preserving their privacy,” Luke Crouch, a Privacy & Security Engineer at Mozilla, explained earlier this year.

“When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first 6 characters to the HIBP API. The API responds with many suffixes and the list of breaches that include the full value.”

Firefox Monitor then goes through the returned objects to find which (if any) prefix and breached account suffix equals the user-submitted hash value, and shows the result to the user.

This setup allows Mozilla to keep the plaintext or hashes of sensitive user data from the HIBP service, and the HIBP service to not disclose its entire set of hashes (and therefore to protect breached users from further exposure).

Protecting the service and users from bad actors

Mozilla has also put protections in place to minimize the risk of the service being misused by the attackers.

“Hashed data is still vulnerable to brute-force attacks. An adversary could still loop thru a dictionary of email addresses to find the plaintext of all the range query results. To reduce this attack surface, Firefox Monitor does not store the range queries nor any results in its database. Instead, it caches a user’s results in an encrypted client session,” Crouch noted.

“We also monitor our scan endpoint to prevent abuse by an adversary attempting a brute force breached-account enumeration attack against our service.”

For those interested in the technical details about the Mozilla/HIBP collaboration for the Firefox Monitor service, Troy Hunt has written a helpful blog post.