Upcoming Firefox feature could warn users when their password gets stolen

Mozilla is piloting a program with the aim to introduce a feature in Firefox that will notify users when their credentials may have been leaked or stolen in a data breach.

In a GitHub repo set up for the initiative, Bengaluru, India-based Mozilla developer Nihanth Subramanya explains the reasons behind the “Breach Alerts Prototype” and how his company would like to tackle the issue.

Data breaches have become common, and everything from email addresses and passwords to credit card details and personal information can be leaked or stolen by bad actors, Subramanya argues.

“As they [data breaches] grow more frequent, it’s desirable to keep track of them and communicate about them to Web users when their credentials may have been compromised, and educate them on the repercussions, what they can do when such a breach occurs, and protect themselves in the future,” the developer says.

To kickstart the project, Subramanya proposes using a typical browser extension as a “vehicle” for prototyping an interaction flow behind a graphical user interface. Mozilla is teaming up with haveibeenpwned.com as its data source.

Created by Microsoft staffer Troy Hunt, “have i been pwned?” is a free tool that lets anyone check if their online credentials may have been compromised.

If successful, Mozilla will consider introducing the Breach Alerts function as an addition to Firefox. The component – whether baked into the browser itself or released as an add-on – will supposedly notify users when their credentials may have been leaked or stolen.

The full scope of the project also includes teaching users about data breaches (i.e. a “learn more” link in the notification), and a way to opt into a service that alerts the user when they may be affected in the future. Subramanya is the first to admit that at least the final goal might be hard to attain:

“The third goal brings up some privacy concerns, since users would need to supply an email address to receive notifications,” he said. “Who is the custodian of this data? Can we avoid sending user data to haveibeenpwned.com? Can we still offer useful functionality to users who opt out of subscribing their email address?”

Despite these concerns, Mozilla aims to offer “as much utility as possible while respecting the user’s privacy.”

It will be interesting to see how the project unfolds. Those of you interested in the progress of Breach Alerts Prototype can track it here.