"Breach accounts found" but... nothing on the HIBP website #1236

New Issue

Closed

opened 2025-11-07 07:01:17 -06:00 by GiteaMirror · 1 comment

GiteaMirror commented 2025-11-07 07:01:17 -06:00

Owner

Copy Link

Originally created by @jducaud on GitHub (Mar 19, 2022).

Subject of the issue

My Vaultwarden account email address is said by the Web Vault to be linked to a breach but it does not seem to be.

Deployment environment

Machine: Synology DS218+ (OS: DSM 6.2.4-25556 Update 5)
Docker image: vaultwarden/server 1.24.0 (latest: 6 weeks ago / 187MB) (Web Vault 2.25.1)
Client: Firefox 98.0.1 (64-bit) (connection to the Web Vault) on Microsoft Windows 10 21H2
Reverse proxy and version (on DSM): nginx 1.16.1

Steps to reproduce

1 - Log in to my Vaultwarden account on the Web Vault
2 - Go to "Tools > Reports > Data breach report"
3 - Press the "Check breaches" button
4 - The message "BREACHED ACCOUNTS FOUND" (uppercased and red) is displayed, asking for a manual check on HIBP website
5 - Go to HIBP website (just click on the provided hyperlink by the Web Vault)
6 - See that my email address has not been pwned

Expected behaviour

I have no subscription running at HIBP, so I do not have an API key. I would expect the Web Vault to remind me that I have not an HIBP API key, but without warning me that I have been pwned (this supposed breach has even a date: August 18th 2019).

Actual behaviour

See above.

Troubleshooting data

Here are 2 relevant screenshots

Steps 1 to 4

Steps 5 to 6

Originally created by @jducaud on GitHub (Mar 19, 2022). ### Subject of the issue My Vaultwarden account email address is said by the Web Vault to be linked to a breach but it does not seem to be. ### Deployment environment Machine: Synology DS218+ (OS: DSM 6.2.4-25556 Update 5) Docker image: vaultwarden/server 1.24.0 (latest: 6 weeks ago / 187MB) (Web Vault 2.25.1) Client: Firefox 98.0.1 (64-bit) (connection to the Web Vault) on Microsoft Windows 10 21H2 Reverse proxy and version (on DSM): nginx 1.16.1 ### Steps to reproduce 1 - Log in to my Vaultwarden account on the Web Vault 2 - Go to "Tools > Reports > Data breach report" 3 - Press the "Check breaches" button 4 - The message "BREACHED ACCOUNTS FOUND" (uppercased and red) is displayed, asking for a manual check on HIBP website 5 - Go to HIBP website (just click on the provided hyperlink by the Web Vault) 6 - See that my email address has not been pwned ### Expected behaviour I have no subscription running at HIBP, so I do not have an API key. I would expect the Web Vault to remind me that I have not an HIBP API key, but without warning me that I have been pwned (this supposed breach has even a date: August 18th 2019). ### Actual behaviour See above. ### Troubleshooting data Here are 2 relevant screenshots Steps 1 to 4  Steps 5 to 6 

GiteaMirror added the wontfix label 2025-11-07 07:01:17 -06:00

GiteaMirror closed this issue 2025-11-07 07:01:17 -06:00

GiteaMirror commented 2025-11-07 07:01:18 -06:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Mar 19, 2022):

This is a feature.
Since you do not have a HIBP API-Key you normally would get an error message.
To make it a bit easier for people to check the mail address we added a custom error message noting that the API-Key is not set and we have added a link to HIBP with the mail addresses provided.

Just read the message carefully, and you would see that it states Manual HIBP Check and that the Key is not set.

@BlackDex commented on GitHub (Mar 19, 2022): This is a feature. Since you do not have a HIBP API-Key you normally would get an error message. To make it a bit easier for people to check the mail address we added a custom error message noting that the API-Key is not set and we have added a link to HIBP with the mail addresses provided. Just read the message carefully, and you would see that it states **Manual HIBP Check** and that the Key is not set.

GiteaMirror referenced this issue 2025-11-07 07:54:46 -06:00

[PR #1236] [CLOSED] feat: add email bcc option #2787

GiteaMirror referenced this issue 2026-03-07 21:01:00 -06:00

[PR #1236] [CLOSED] feat: add email bcc option #6564

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label wontfix

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#1236