steampipe plugin install hibp

Table: hibp_breach - Query HIBP Breaches using SQL

Have I Been Pwned (HIBP) is a service that allows users to check if their personal data has been compromised by data breaches. It collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts. The HIBP Breach resource provides information about the specific data breach incidents.

Table Usage Guide

The hibp_breach table provides insights into data leak incidents registered in the Have I Been Pwned database. As a security analyst, explore breach-specific details through this table, including the breach name, domain, date, and associated data classes. Utilize it to uncover information about specific breaches, such as the affected accounts, the nature of the leaked data, and the actions taken to mitigate the breach.

Important Notes

  • This table does not require an API key to be configured in the hibp.spc file.

Examples

List breaches from the last 3 months

Explore recent security breaches to understand potential vulnerabilities and patterns. This query is particularly useful for identifying recent threats and enhancing security measures accordingly.

select
title,
breach_date
from
hibp_breach
where
breach_date > current_date - interval '3 months';
select
title,
breach_date
from
hibp_breach
where
breach_date > date('now', '-3 months');

List unverified breaches

Discover the segments that have experienced unverified security breaches. This can be useful in assessing potential vulnerabilities and prioritizing areas for security enhancement.

select
title,
pwn_count,
breach_date
from
hibp_breach
where
is_verified = false;
select
title,
pwn_count,
breach_date
from
hibp_breach
where
is_verified = 0;

List breaches for the "Passwords" or "Usernames" data classes

Discover the instances of security breaches involving either passwords or usernames. This can be helpful in understanding the magnitude and timing of such incidents, which can aid in improving data security measures.

select
distinct(title),
pwn_count as size,
breach_date
from
hibp_breach
where
data_classes ?| array [ 'Usernames',
'Passwords' ];
Error: SQLite does not support array operations.

Schema for hibp_breach

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
added_datetimestamp with time zoneThe date and time (precision to the minute) the breach was added to the system.
breach_datetimestamp with time zoneThe date (with no time) the breach originally occurred on in ISO 8601 format. This is not always accurate — frequently breaches are discovered and reported long after the original incident. Use this field as a guide only.
data_classesjsonbThis field describes the nature of the data compromised in the breach and contains an array of impacted data classes.
descriptiontextContains an overview of the breach represented in HTML markup. The description may include markup such as emphasis and strong tags as well as hyperlinks.
domaintext=The domain of the primary website the breach occurred on. This may be used for identifying other assets external systems may have for the site.
is_fabricatedbooleanIndicates that the breach is considered fabricated. A fabricated breach is unlikely to have been hacked from the indicated website and usually contains a large amount of manufactured data. However, it still contains legitimate email addresses and asserts that the account owners were compromised in the alleged breach.
is_retiredbooleanIndicates if the breach has been retired. This data has been permanently removed and will not be returned by the API.
is_sensitivebooleanIndicates if the breach is considered sensitive. The public API will not return any accounts for a breach flagged as sensitive.
is_spam_listbooleanIndicates if the breach is considered a spam list. This flag has no impact on any other attributes but it means that the data has not come as a result of a security compromise.
is_verifiedboolean=Indicates that the breach is considered unverified. An unverified breach may not have been hacked from the indicated website. An unverified breach is still loaded into HIBP when there's sufficient confidence that a significant portion of the data is legitimate.
logo_pathtextA URI that specifies where a logo for the breached service can be found. Logos are always in PNG format.
modified_datetimestamp with time zoneThe date and time (precision to the minute) the breach was modified. This will only differ from the added_date attribute if other attributes represented here are changed or data in the breach itself is changed (i.e. additional data is identified and loaded). It is always either equal to or greater then the added_date field, never less than.
nametext=A Pascal-cased name representing the breach which is unique across all other breaches. This value never changes and may be used to name dependent assets (such as images) but should not be shown directly to end users (see the 'title' field instead).
pwn_countbigintThe total number of accounts loaded into the system. This is usually less than the total number reported by the media due to duplication or other data integrity issues in the source data.
titletextA descriptive title for the breach suitable for displaying to end users. It's unique across all breaches but individual values may change in the future (i.e. if another breach occurs against an organisation already in the system). If a stable value is required to reference the breach, refer to the 'name' field instead.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- hibp

You can pass the configuration to the command with the --config argument:

steampipe_export_hibp --config '<your_config>' hibp_breach