1. 17

  2. 6

    Firefox Monitor uses haveibeenpwned.com as it’s source and seems to provide exactly the same functionality. It’s not clear to me what the value-add is?

    1. 15

      There are a couple value adds:

      1. Trust via brand recognition. I’ve asked my parents to check haveibeenpwned.com before and it took me 10 minutes to convince them it was safe to visit. I love the service, but the domain name alone makes it unsuitable for the vast majority of internet users.

      2. Discoverability. Only a tiny minority has ever heard of haveibeenpwned and word of mouth won’t reach nearly as many people as a Firefox can.


      There’s also the possibility of future integrations with e.g Firefox Lockwise.

      1. 8

        Haveibeenpwned is English only. Monitor is available in dozens of languages.

        The audience is non-technical. Being affected by a breach causes a lot of uncertainty and fear in a people. Monitor helps them understand what they need to do (basic password hygiene) in their own language. Tldr: localization, simplification, emails for new breaches.

        1. 5

          I guess the only difference is that Mozilla gets to collect your email address and (per their privacy policy) basically send you things and share it with salesforce and amazon:

          If you sign up, we (and our email providers SalesForce and Amazon) receive your email address to contact you in connection with the Firefox Monitor Service, which includes Full Reports, Breach Alerts, and Safety Tips. You can unsubscribe at any time.

          1. 2

            @ahal put it very well.

            Aaaand people use their emails to sign up for really shady services, which outsource their email to one of these Amazon/Sendgrid/Mailchimp companies anyway. The GDPR (allegedly, at least) helps a bit, but I think the bigger damage has been done a priori.

            Mozilla’s business is not in mail delivery, though in this case it sounds like they could, and maybe should, take care of it themselves.

            I’m taking this as a sign of them seeing outsourcing as a lesser evil and risk than hiring someone to maintain Postfix and in-house tooling.

          2. 1

            In Troy Hunt’s announcement from last year, he mentions that only 0.06% of pwned email addresses are signed up to the notification service.