A Have I Been Pwned MCP Server for Claude

Model Context Protocol (MCP) is a powerful framework that extends AI clients like Claude and now VSCode with GitHub Copilot Agents with custom capabilities. Think of MCPs as plugins that give AI assistants new abilities – they can interact with APIs, access specific data sources, or perform specialised tasks that aren’t part of their base functionality.

Why Build a HIBP MCP?

When learning new things, I like to build something that is relevant. The Have I Been Pwned (HIBP) service I’ve used before to check if email addresses or passwords have been compromised in data breaches. While HIBP has a nice front end (and a new one coming) I wanted to make this functionality more accessible through natural language interactions with Claude and natural language and learn how to write an MCP Server.

By creating an MCP server for HIBP, I can simply ask Claude questions like:

• “Has my test@email.com been in any data breaches?”
• “Tell me about the LinkedIn breach”
• “Is “winter2025″ a good password to use?”

And Claude with my Have I Been Pwned MCP can directly query the HIBP APIs to provide answers.

Demo

How it works

The HIBP MCP Server acts as a bridge between Claude and the HIBP API. It:

1. Receives natural language queries from Claude
2. Translates them into appropriate HIBP API calls
3. Handles rate limiting based on your subscription plan
4. Returns formatted responses that Claude can understand and explain

Using the HIBP MCP Server

Prerequisites

• Node.js v22.10.0 or higher
• A HIBP API key (get one here)
• Claude Desktop or another MCP-compatible client

Installation

The easiest way to use the HIBP MCP is through NPM. Configure your Claude Desktop by going to Settings => Developer => Edit Config and enter the following in your ..\Claude\claude_desktop_config.json file:

{
  "mcpServers": {
    "HIBP-MCP": {
      "command": "npx",
      "args": ["-y", "@darrenjrobinson/hibp-mcp"],
      "env": {
        "HIBP_API_KEY": "<your-hibp-api-key>",
        "HIBP_SUBSCRIPTION_PLAN": "Pwned 1"
      }
    }
  }
}

Usage Examples

Once configured, you can have natural conversations with Claude about data breaches:

You: Has test@example.com appeared in any data breaches?
Claude: Let me check that email address against the HIBP database…
You: What data was exposed in the Adobe breach?
Claude: I’ll look up the details of the Adobe breach…
You: Is my password ‘MySecurePass2024’ safe to use?
Claude: Let me check if this password has appeared in any known breaches…

Technical Details

The MCP Server provides three main tools:

1. HIBP-Breaches: Query breached accounts and general breach information
2. HIBP-Pastes: Check if email addresses appear in paste sites
3. HIBP-PwnedPasswords: Check if passwords have been exposed (using k-anonymity)

All API calls respect HIBP’s rate limits based on your subscription plan.

Security Considerations

• The MCP never stores API keys or credentials. API Key is in your local MCP Client configuration (e.g. Claude or VSCode)
• Passwords are hashed locally before checking against the HIBP API
• Only the first 5 characters of password hashes are sent to HIBP (k-anonymity)

Resource Links

• GitHub Repository
• NPM Package
• HIBP API Documentation

Contributing

This is an open-source project, and contributions are welcome. Whether it’s adding new features, improving documentation, or reporting bugs, check out the GitHub repository to get involved.