@pipeworx/hibp

Connect: https://gateway.pipeworx.io/hibp/mcp · Install: one-click buttons

Tools: 6

Have I Been Pwned MCP — breach history + pwned passwords.

Tools

Free (no key):

• check_password(password) — k-anonymity check; password never leaves the worker.
• check_password_prefix(sha1_prefix) — k-anonymity by SHA-1 prefix.
• list_breaches(domain?) — all breaches.
• get_breach(name) — single breach.
• list_data_classes() — canonical data-class tags.

Paid (BYO key):

• check_account(account, truncate?) — breaches an email appears in. Requires a paid HIBP subscription key (https://haveibeenpwned.com/API/Key).

Data sources

• https://api.pwnedpasswords.com/range/{prefix} — no auth
• https://haveibeenpwned.com/api/v3/ — hibp-api-key header for account lookups

Tools

• check_password — Check whether a password appears in known breach corpora. Uses k-anonymity: the password is SHA-1ed locally, only the first 5 hex chars leave the worker, and the response is filtered to match the rest
• check_password_prefix — Direct k-anonymity lookup: pass the first 5 hex chars of a SHA-1 password hash, get back all SHA-1 suffixes with their pwned counts. Use this if you’re hashing client-side and only want to send the pr
• list_breaches — List all publicly-known data breaches catalogued by HIBP. Optionally filter to a specific domain (e.g., “linkedin.com”). Returns name, title, breach date, added date, affected accounts, description, d
• get_breach — Fetch a single breach by name (the “Name” field from list_breaches, e.g., “Adobe”, “LinkedIn”). Returns full breach metadata.
• list_data_classes — Canonical list of HIBP “data class” tags (e.g., “Email addresses”, “Passwords”, “Geographic locations”). Useful for filtering breaches.
• check_account — Look up breaches an email account has been seen in. REQUIRES a paid HIBP subscription key (pass _apiKey). Returns the set of breach names; combine with get_breach for details.