pwned? app - learning Firebase and TypeScript using Have I Been Pwned? API

Troy Hunt May 30, 2018

I have blogged about the development of InDEx, which is a JavaScript-based app designed to reduce binge drinking in veterans. I developed InDEx using IONIC v1 and MEAN stack, at the time, these technologies worked very well. However, on a larger scale, managig my own servers is not practial nore cost effective. With this in mind, I wanted to try (e.g. Backend as a service) out some new technologies and keep my skills up-to-date, before re-developing InDEx using IONIC V3, TypeScript and Firebase for at-scale deployment.

I needed a project that would be relatively simple to develop and expose me to a range of new technologies and techniques, and I knew the perfect project. I am an avid follower of Troy Hunt, he runs the Have I Been Pwned? (HIBP) service which includes a Application Programming Interface (API) to allow others to query the service. There are already many uses of the Have I Been Pwned? API, including iOS and Android apps, and at the moment this project is very similar. However, I have some ideas/features planned for the next few months which shouold make the app stand out from the rest (data aggregation, visualisations etc).

I decided to call the app pwned?, borrowing the main reference used in HIBP.

pwned? app: You can download the app via the Google Play Store or get the source code on GitHub.

The app

The app has two core modules, 'accounts' and 'passwords', both of which are core to the HIBP service. Users can search their email address, username or password to see if they've been pwned. The final element, possibly one of the most sensitive item of information in which a user could supply to an unknown third party, their password, is protected using an approach recommend by Troy. The HIBP password range API is used, where the user password is converted to SHA-1 in the app, and only the first 5 characters of the SHA-1 are sent to HIBP.

Below are a couple of screen screenshots and you can see a live demo here.




Contribute: I welcome any comments, pulls and commits.


I created a Firebase Function to monitor the Have I Been Pwned API (daily), and when a new breach is detected an email is then sent to me (via SendGrid), giving me the option to push the notification to users.

Future Development

It was a fun little hobby project for a Saturday morning. It appears to be working well, I will be updating the project over time to introduce new features. I am very keen to develop new methods to generate 'user insights' and promote more awareness of information security in the general public.

Note: The app has been avaliable for quiet a while, I've just been slow to blog about it.