Is this (explained in body) a possible attack vector when using haveibeenpwned API?


I’m currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised elsewhere.

I understand the process involves the site sending a partial hash of the password to HIBP and HIBP will respond whether it’s pwned.

I am also assuming that it is possible that HIBP stores logs of my API request and that it may contain information leading back to my app.

If HIBP gets hacked, and attacker gains access to the above hypothetical logs, assuming that it contains all the information in the original request – the partial hash and where it came from (my site), can the attacker construct an attack on my site is this way?

  1. Hash the passwords in the list of pwned password and get a list of hashes
  2. Match the partial hash he has with those in the above list and derive a refined dictionary of N number of possible passwords with same partial hash
  3. Try the passwords on my site

I am aware at every point in the above, measures can be put in place to mitigate each, e.g. 2FA. But it is not my objective to ask for how to secure my sign up, but to validate my concerns with using HIBP and whether there’s an attack vector to be considered.

PS: I’m not a security expert but I do know how passwords and hashes work. As HIBP is new to me, I don’t fully know how it works and all the features of its API. Pardon me if I made wrong assumptions.