Data breach report should search against all email addresses used in vault

Feature name

  • data breach report should search against all email addresses used in vault

Feature function

  • What will this feature do differently? Right now the data breach report lets you search by one email address. Ideally it should automatically pull all of the email addresses from your vault and search against them. I use different email addresses for each site for login – being able to quickly see if any are breached would be great.
  • What benefits will this feature bring? Convenience
  • Remember to add a tag for each client application that will be affected

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature? No
  • Are there any references to this feature or function on other platforms that may be helpful? No
2 Likes

I’d add that it should offer a list of all emails found in the vault and allow deselecting those that the user does not want to be part of the report.

6 Likes

Agreed. I’m using https://simplelogin.io/ to generate unique email addresses for every single site I use. This minimizes the # of compromises so a data breach report for a unique email address may not be huge but it would be nice to know when an address is compromised.

5 Likes

Nice email solution. Thank you for sharing!
Definitely wouldn’t work to check all emails if you use that :wink:

3 Likes

@imthenachoman Additional to simple convenience, this feature would also allow the date of a breach to be compared against the most recent password change. Reported breaches could then be removed from the list if the login credentials had changed after it occured.

1 Like

Moreover, Bitwarden should automatically warn whenever a password I have/an email I have is found in a new leak.

7 Likes

I’m not as worried about checking against the breach date, I’d just like this feature at all. It’s a bit disappointing that all the other checks check against all items in the vault, but this one doesn’t. I’m guessing this is possible because, for instance with the “Exposed Passwords” check, all the datasets and comparisons can be done against a dataset hosted by Bitwarden or directly on the client rather than having to reach out to an external API, but does HIBP not support making a lot of requests/testing in bulk?

2 Likes

A bit late to this, but I signed up purely to support this.

Voted. Apple Keychain already does this, as well as other major password managers (e.g. LastPass).

Like other users, I typically use a different email address for each website. This is an increasingly common scenario (see for example Apple’s Hide My Email).

Ideally, this check should be done periodically, without user input. An email alert would be also very useful.

1 Like

Integrating with or otherwise collaborating with Mozilla’s monitor.firefox.com open source project https://github.com/mozilla/blurts-server/ might be a route to share the burden in maintaining a multi email breach monitoring and report system. Monitor already supports marking breaches resolved and both Bitwarden and Monitor are powered by the same source Have I been pwned.

Reports for all email in the vault is especially important if generated emails are used per account ie Generate email aliases for new logins (Implement Email Protection) - #3 by wolfgang8741 and from other existing services.

2 Likes

1 additional vote

it would be really nice if the “data breach report” tool could check all the emails in the vault.
I use an email alias for each account.
The current “data Breach report” tool is unusable for me.
Currently I use “Mozilla Firefox Monitor” to check my main email addresses. But I can’t check all my email aliases.

2 Likes

Seems similar to Data breach checks on individual logins

Perhaps since it is older votes could be redirected to that.

I really hope this feature request is seriously considered, especially now that the username generator has been implemented (and I hope to shift away from the old single email/username methodology).

Also, most comments have specified email address, but I think if it can check any username, there’s not need to limit it to email addresses.

Out of scope, but a cool addition: It may not be possible through the API, but I’d love for BitWarden to provide a way to bulk sign up for the “Notify Me” feature for each email in my account that hasn’t already been signed up. (Have I Been Pwned: Notify me)

Should this merged with Vault Heatlh Dashboard - Data Breach Report should do automatic lookups and alerts?

1 Like

Thanks for checking in, I think they are distinct requests, the referenced request is to move to a dynamic dashboard type experience (which is planned), while this request is to expand the functionality of the specific Data Breach report to include additional emails rather than just the account email.

Doh! This is basic functionality in every other password manager, to check all accounts in the vault. BitWarden’s report even says “Cgecj abt yserbanes ir enauk addresses that you use.” However, this is not the case. Heck, might as well go back to LastPass!

Hey @NeuronsNeeded thanks for the feedback, there are additional reports for other plan types, such as exposed, reused, weak etc that cover all accounts in the individual or organization vault.

More info here: https://bitwarden.com/help/reports/

Agree with this request. As a soon-to-be-former LastPass user, this is something I will miss in Bitwarden (until it gets implemented).

Thanks!
— Jeff

Automatic would probably difficult since it would have to be done on the client after decryption, and some people set vault timeouts quite short. If you don’t use that many different email addresses, you could subscribe them to Have I Been Pwned alerts.