I just read through 1Password release notes [0], "Addressed a bug in the new popup where items were checked for vulnerable passwords even if you hadn't opted in to the Have I Been Pwned service." which also links to a KB article that talks about the security risks of HIBP [1]

I would be very concerned if my credentials are being shared in _any_ form with 3rd parties without my explicit permissions.

I hope this firefox feature is disabled by default.

[0] https://app-updates.agilebits.com/product_history/B5X [1] https://support.1password.com/kb/201907/

Disclaimer: I'm the Firefox sec engineer working on this feature.

Just to clear this up: The code for this is actually way simpler and sends no data to either Mozilla nor HIBP. To prevent Firefox from sending data update pings to HIBP, Firefox Monitor maintains a copy of publicly available HIBP breaches and their metadata [1] in the Firefox "Remote Settings" service. [2]

Using that data, Firefox simply checks for saved logins for breached sites where the saved password is older than the breach. [3]

[1] https://haveibeenpwned.com/api/v2/breaches [2] https://wiki.mozilla.org/Firefox/RemoteSettings [3] https://hg.mozilla.org/mozilla-central/file/6484c07ff8364991...

This explanation confused me, so let me rewrite it:

"Firefox downloads a list of breached domain names and the date they were breached, and merely checks if you have any stored logins on any breached domains that are older then the breach date."

Credentials are not shared under the hibp password system. the first five characters of the hex encoded md5 of the password is shared and the server responds with matching hashes. If 20 bits (2 and a half characters) of hashed entropy can compromise your password you have bigger problems.