"Breach accounts found" but... nothing on the HIBP website #1240

New issue

Closed

opened 2026-02-20 08:08:30 -05:00 by deekerman · 1 comment

deekerman commented

2026-02-20 08:08:30 -05:00

Owner

Originally created by @jducaud on GitHub (Mar 19, 2022).

Subject of the issue

My Vaultwarden account email address is said by the Web Vault to be linked to a breach but it does not seem to be.

Deployment environment

Machine: Synology DS218+ (OS: DSM 6.2.4-25556 Update 5)
Docker image: vaultwarden/server 1.24.0 (latest: 6 weeks ago / 187MB) (Web Vault 2.25.1)
Client: Firefox 98.0.1 (64-bit) (connection to the Web Vault) on Microsoft Windows 10 21H2
Reverse proxy and version (on DSM): nginx 1.16.1

Steps to reproduce

1 - Log in to my Vaultwarden account on the Web Vault
2 - Go to "Tools > Reports > Data breach report"
3 - Press the "Check breaches" button
4 - The message "BREACHED ACCOUNTS FOUND" (uppercased and red) is displayed, asking for a manual check on HIBP website
5 - Go to HIBP website (just click on the provided hyperlink by the Web Vault)
6 - See that my email address has not been pwned

Expected behaviour

I have no subscription running at HIBP, so I do not have an API key. I would expect the Web Vault to remind me that I have not an HIBP API key, but without warning me that I have been pwned (this supposed breach has even a date: August 18th 2019).

Actual behaviour

See above.

Troubleshooting data

Here are 2 relevant screenshots

Steps 1 to 4

Steps 5 to 6

Originally created by @jducaud on GitHub (Mar 19, 2022). ### Subject of the issue My Vaultwarden account email address is said by the Web Vault to be linked to a breach but it does not seem to be. ### Deployment environment Machine: Synology DS218+ (OS: DSM 6.2.4-25556 Update 5) Docker image: vaultwarden/server 1.24.0 (latest: 6 weeks ago / 187MB) (Web Vault 2.25.1) Client: Firefox 98.0.1 (64-bit) (connection to the Web Vault) on Microsoft Windows 10 21H2 Reverse proxy and version (on DSM): nginx 1.16.1 ### Steps to reproduce 1 - Log in to my Vaultwarden account on the Web Vault 2 - Go to "Tools > Reports > Data breach report" 3 - Press the "Check breaches" button 4 - The message "BREACHED ACCOUNTS FOUND" (uppercased and red) is displayed, asking for a manual check on HIBP website 5 - Go to HIBP website (just click on the provided hyperlink by the Web Vault) 6 - See that my email address has not been pwned ### Expected behaviour I have no subscription running at HIBP, so I do not have an API key. I would expect the Web Vault to remind me that I have not an HIBP API key, but without warning me that I have been pwned (this supposed breach has even a date: August 18th 2019). ### Actual behaviour See above. ### Troubleshooting data Here are 2 relevant screenshots Steps 1 to 4 ![1 - Vaultwarden](https://user-images.githubusercontent.com/55034588/159129248-a26a2def-4862-49ba-9b78-0f3e0244b3e2.png) Steps 5 to 6 ![2 - HaveIBeenPwned](https://user-images.githubusercontent.com/55034588/159129286-8caafddb-da0d-41f1-8083-de09633e5783.png)

deekerman

2026-02-20 08:08:30 -05:00

closed this issue
added the
wontfix
label

deekerman commented

2026-02-20 08:08:31 -05:00

Author

Owner

@BlackDex commented on GitHub (Mar 19, 2022):

This is a feature.
Since you do not have a HIBP API-Key you normally would get an error message.
To make it a bit easier for people to check the mail address we added a custom error message noting that the API-Key is not set and we have added a link to HIBP with the mail addresses provided.

Just read the message carefully, and you would see that it states Manual HIBP Check and that the Key is not set.

@BlackDex commented on GitHub (Mar 19, 2022): This is a feature. Since you do not have a HIBP API-Key you normally would get an error message. To make it a bit easier for people to check the mail address we added a custom error message noting that the API-Key is not set and we have added a link to HIBP with the mail addresses provided. Just read the message carefully, and you would see that it states **Manual HIBP Check** and that the Key is not set.