Have I been pwned

[jamesgeddes]

As part of our duty of care toward our members, check if their email address or telephone number has been involved in any data breaches.

We also want to collect stats on the number of members who are and are not involved in breaches - because data is fun.

Actions

At 0700 UTC every day,

• set not_external_breached_total and external_breached_total to 0
• Use the Have I Been Pwned API to check all accounts
• If the member has not been involved in a breach, add 1 to not_breached_total.
• If the member has been involved in a breach:
  • contact the member
  • show a banner on login
  • add 1 to external_breached_total
  • require the member to set up 2FA (requires 2FA #44)
• Graph uknown, breached & not breached as a percentage with grafana

Constraints

• Member must opt-in to having their email address sent to haveibeenpwned.com in member settings.
• Output datetime, external_breached_total, not_external_breached_total to the database so that they can be picked up by grafana.
• if the member has provided SMS System Messages GDPR permissions, contact via SMS
• if the member has not provided SMS system messages GDPR permissions but has provided email system messages permissions, contact via email
• If no system messages GDPR permission have been provided, only show a banner on login.
• Contact must advise that 2FA is now required on next login
• Banner should:
  • be shown at the top of every page while member is logged in
  • explain which of their other accounts have been involved in a breach
  • explain that these accounts are not affiliated with Geek.Zone
  • be dismissed with a tickbox and button double confirmation - "I understand and will address this with those organisations"
• Should be able to distinguish between threats that we have already notified the member about and new threats.

Impact

Low

Urgency

Later

[OMGtechy]

This shouldn't be auto-opt in / opt-out - sending someone's password without their knowing is ... eek. Just make it such that someone has to choose explicitly. Disabled until they do.

[jamesgeddes]

@OMGtechy With regard to,

• opt-in/opt-out
  on reflection I do agree with you; any time that we are sharing PII with another party we need to explicitly seek permission from the user. I have updated the description accordingly.
• what data is provided to haveibeenpwned.com
  only email addresses are shared with haveibeenpwned.com, nothing else - particularly no passwords. This would be clearly explained in the UI.