Mastodon

Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Weekly Update 398

How many different angles can you have on one data breach? Facial recognition (which probably isn't actual biometrics), gambling, offshore developers, unpaid bills, extortion, sloppy password practices and now, an arrest. On pondering it more after today's livestream, it's the unfathomable stupidity of publishing this data publicly that really strikes me. By all means, have contractual disputes, get lawyers involved and showdown in the courts if you need to, but take data in this fashion and chu...

Weekly Update 397

Banks. They screw us on interest rates, they screw us on fees and they screw us on passwords. Remember the old "bank grade security" adage? I took this saying to task almost a decade ago now but it seems that at least as far as password advice goes, they really haven't learned. This week, Commbank is telling people to use a password manager but just not for their bank password, and ANZ bank is forcing people to rotate their passwords once a year because, uh, hackers? Ah well, as I always end up...

Weekly Update 396

"More Data Breaches Than You Can Shake a Stick At". That seems like a reasonable summary and I suggest there are two main reasons for this observation. Firstly, there are simply loads of breaches happening and you know this already because, well, you read my stuff! Secondly, There are a couple of Twitter accounts in particular that are taking incidents that appear across a combination of a popular clear web hacking forum and various dark web ransomware websites and "raising them to the surface",...

Weekly Update 395

Data breach verification: that seems like a good place to start given the discussion in this week's video about Accor. Watch the vid for the whole thing but in summary, data allegedly taken from Accor was published to a popular hacking forum and the headlines inevitably followed. However, per that story: Cybernews couldn’t confirm the authenticity of the data. We reached out to Accor for clarification and are awaiting a response. I couldn't confirm the authenticity of the data either and I wro...

Weekly Update 394

I suggest, based on my experiences with data breaches over the years, that AT&T is about to have a very bad time of it. Class actions following data breaches have become all too common and I've written before about how much I despise them. The trouble for AT&T (in my non-legal but "hey, I'm the data breach guy" opinion), will be their denial of a breach in 2021 and the subsequent years in which tens of millions of social security numbers were floating around. As much as it's hard for the victim...

Weekly Update 393

A serious but not sombre intro this week: I mentioned at the start of the vid that I had the classic visor hat on as I'd had a mole removed from my forehead during the week, along with another on the back of my hand. Here in Australia, we have one of the highest rates of skin cancer in the world with apparently about two-thirds of us being diagnosed with it before turning 70. At present, the bits they cut off me were entirely unremarkable (small dot about an inch over my left eye if you're reall...

Weekly Update 392

Let's get straight to the controversial bit: email address validation. A penny-drop moment during this week's video was that the native browser address validator rejects many otherwise RFC compliant forms. As an example, I asked ChatGTP about the validity of the pipe symbol during the live stream and according to the AI, it's permissible "when properly quoted": "john|doe"@example.com Give that a go and see how far you get in an input of type "email". Mind you, that example allows a pipe wh...

Inside the Massive Alleged AT&T Data Breach

I hate having to use that word - "alleged" - because it's so inconclusive and I know it will leave people with many unanswered questions. (Edit: 12 days after publishing this blog post, it looks like the "alleged" caveat can be dropped, see the addition at the end of the post for more.) But sometimes, "alleged" is just where we need to begin and over the course of time, proper attribution is made and the dots are joined. We're here at "alleged" for two very simple reasons: one is that AT&T is sa...

Weekly Update 391

I'm in Japan! Without tripod, without mic and having almost completely forgotten to do this vid, simply because I'm enjoying being on holidays too much 😊 It was literally just last night at dinner the penny dropped - "don't I normally do something around now...?" The weeks leading up to this trip were especially chaotic and to be honest, I simply forgot all about work once we landed here. And when you see the pics in the thread below, you'll understand why: Tokyo time! 🍣 pic.twitter.com/dG0...

Welcoming the Liechtenstein Government to Have I Been Pwned

Over the last 6 years, we've been very happy to welcome dozens of national governments to have unhindered access to their domains in Have I Been Pwned, free from cost and manual verification barriers. Today, we're happy to welcome Liechtenstein's National Cyber Security Unit who now have full access to their government domains. We provide this support to governments to help those tasked with protecting their national interests understand more about the threats posed by data breaches, and we loo...