A Model Context Protocol (MCP) server for the Have I Been Pwned (HIBP) API that allows you to query breach data using natural language.
This MCP server provides tools to interact with the Have I Been Pwned API, allowing you to:
- Check if an email address has been in a data breach
- Get details about specific breaches
- Check if a password has been exposed in known data breaches
- Check if an email address appears in pastes
- Install Node.js (v22.10.0 or higher recommended)
- Get your HIBP API key from https://haveibeenpwned.com/API/Key
- Configure your MCP client (e.g., Claude Desktop ) with:
{
"mcpServers": {
"HIBP-MCP": {
"command": "npx",
"args": ["-y", "@darrenjrobinson/hibp-mcp"],
"env": {
"HIBP_API_KEY": "<your-hibp-api-key>",
"HIBP_SUBSCRIPTION_PLAN": "Pwned 1"
}
}
}
}- Clone this repository:
git clone https://github.com/darrenjrobinson/HIBP-MCP-Server.git- Install dependencies:
cd HIBP-MCP-Server
npm install- Build the project:
npm run build- Configure your MCP client with:
{
"mcpServers": {
"HIBP-MCP": {
"command": "node",
"args": ["path/to/hibp-mcp/build/main.js"],
"env": {
"HIBP_API_KEY": "<your-hibp-api-key>",
"HIBP_SUBSCRIPTION_PLAN": "Pwned 1"
}
}
}
}| Name | Description |
|---|---|
HIBP_API_KEY |
Your Have I Been Pwned API key |
HIBP_SUBSCRIPTION_PLAN |
Your HIBP API subscription plan (Pwned 1, Pwned 2, Pwned 3, Pwned 4, or Pwned 5) |
Once configured, you can ask Claude natural language questions about data breaches. Here are some examples:
- "Has email address test@example.com appeared in any data breaches?"
- "What breaches contain the email address test@example.com?"
- "Show me all breaches for test@example.com"
- "Tell me about the LinkedIn data breach"
- "What data was exposed in the Adobe breach?"
- "List all known data breaches"
- "Has the password 'Password123' been exposed in any breaches?"
- "Is my password 'MySecurePass2024' safe to use?"
- "Check if this password has been compromised: 'TestPass1234'"
- "Has test@example.com appeared in any pastes?"
- "Show me paste data for test@example.com"
Query breached accounts and breaches from the Have I Been Pwned API.
Parameters:
-
operation: The HIBP operation to perform (getAllBreachesForAccount, getAllBreachedSites, getBreachByName, getDataClasses) -
account: Email address to check for breaches (required for getAllBreachesForAccount) -
domain: Domain to filter breaches by (optional) -
name: Breach name to get details for (required for getBreachByName) -
includeUnverified: Whether to include unverified breaches (optional) -
truncateResponse: Whether to truncate the response (optional)
Query pastes containing account data from the Have I Been Pwned API.
Parameters:
-
account: Email address to check for pastes (required)
Check if a password has been exposed in data breaches using the Pwned Passwords API.
Parameters:
-
password: Password to check (will be hashed locally before sending and only the first 5 characters sent)
Passwords checked through the HIBP-PwnedPasswords tool are never sent in plain text. They are hashed locally using SHA-1, and only the first 5 characters of the hash are sent to the API using k-anonymity.
Contributions are welcome! Please feel free to submit a Pull Request.
MIT