Security news that informs and inspires

Mozilla Rolls Out Firefox Monitor Service for Breach Notifications

Mozilla is launching a new service that will notify people if their personal information is caught up in any future data breaches. Called Firefox Monitor, the service has been in a test phase for the last few months, and now Mozilla is making it available to everyone.

Firefox Monitor relies on data compiled by security researcher Troy Hunt. who maintains the Have I Been Pwned database. That database is a collection of data--email addresses and other information--that has been compromised in various breaches over the years and users can search it to see if any of their data is included. Through Firefox Monitor, a user can check her email address against the database of known compromised addresses from past breaches, and now she can sign up to be notified if the address appears in future breaches, too.

“Sign up for Firefox Monitor using your email address and we will notify you about data breaches when we learn about them. Your email address will be scanned against those data breaches, and we’ll let you know through a private email if you were involved,” Nick Nguyen of Mozilla said.

The service is an important one, especially as the number of data breaches continues to rise and people become more and more inured to news of yet another incident. Breach notifications becoming background noise isn’t good for anyone, aside from attackers and others looking to take advantage of users’ indifference. To help preserve users’ privacy, Firefox Monitor uses an anonymized search process that allows it to return results without ever seeing sensitive user data.

“Hash range queries add k-Anonymity to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data,” Mozilla’s Luke Crouch wrote at the time Firefox Monitor was announced.

Firefox Monitor uses an anonymized search process that allows it to return results without ever seeing sensitive user data.

“When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first 6 characters to the HIBP API. For example, the value “” hashes to 567159d622ffbb50b11b0efd307be358624a26ee.”

Mozilla has been working on other security and privacy features recently, as well. The company is planning to block third-party trackers by default in Firefox, as early as the next month. That move will take some of the responsibility out of users’ hands when it comes to protecting themselves from being tracked across the web.

“In order to help give users the private web browsing experience they expect and deserve, Firefox will strip cookies and block storage access from third-party tracking content,” Nguyen said.