Content security policies [https://www.troyhunt.com/understanding-csp-the-video-tutorial-edition/] (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/] yet a curse because they can also do screwy things like break your site [https://www.troyhunt.com/how-to-break-your-site-with-content/]. Now in fairness, the breaking bit linked to t...

I get a lot of requests from people for data from Have I been pwned [https://haveibeenpwned.com/] (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been "no", I'm not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you [https://www.t...

I'm used to seeing large amounts of personal data left inadvertently exposed to the web. Recently, the Red Cross Blood Service down here left a huge amount of data exposed [https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/] (well, at least the company doing their tech things did). Shortly afterwards, the global recruitment company Michael Page also lost a heap [https://www.troyhunt.com/the-capgemini-leak-of-michael-page-data-via-publicly-facing-...

A bit of a quieter week this time blog wise, but a very busy week in terms of HIBP traffic. It went pretty nuts on Tuesday with a spike the scale I'd never seen before which made things, well, "interesting". I also put the word out about an "ask me anything" live stream event I'm going to do early next week which should be a lot of fun. Oh - and the Indian pathology results exposed to the world - that's unfolding as I write this but the position from the lab exposing things like patient HIV resu...

Earlier today, Have I been pwned [https://haveibeenpwned.com/] (HIBP) appeared on a British TV show called The Martin Lewis Money Show [http://www.moneysavingexpert.com/]. A producer had contacted me about this last week: > I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov, 8pm, ITV) saying it's a good way to check if your data has been compromised. I thought it best to let you know in case you need to put extra resour...

It's hard to believe it, but Sunday 4 December will mark 3 years since I launched Have I been pwned [https://www.troyhunt.com/introducing-have-i-been-pwned/]. A huge amount has happened in that time, not just for HIBP but for the industry and indeed for me personally. I certainly didn't expect it to become what it is, not in terms of the amount of data or the number of people visiting and subscribing and certainly not the media attention it's drawn from all over the world. That's posed some real...

This has been a mega week with a couple of pretty contentious blog posts which frankly, are the best kind! It gets so boring when everyone just nods and agrees... But seriously, the one on ad blockers in particular shows just what a mess we've gotten ourselves into and the "ban all the ads (or anything that has even a sniff of an ad)" proponents are a big part of the problem. I talk about it in detail in the video though so here it is, along with all the podcasts too: iTunes podcast [https://i...

If you're here reading this then it probably won't come as a big surprise but brace yourself anyway - we have a security problem. Yes, yes, I know, it's all very terrifying and not a day goes by where someone isn't getting cyber-something'd. As best I can tell from the news, it's pretty much all to do with guys in hoodies sitting at green screens pwning all our things. I'm quite sure that's the case, I even did a quick check on Google to confirm: I talk about these crazy hacker perceptions in...

One of the things I'm finding with running Have I been pwned [https://haveibeenpwned.com/] (HIBP) is that over time, my approach is changing. Nothing dramatic thus far, usually just what I'd call "organic" corrections in direction and usually in response to things I've learned, industry events or changes in the way people are using the service. For example, the Ashley Madison hack led to the concept of a sensitive breach [https://www.troyhunt.com/heres-how-im-going-to-handle-ashley/] which meant...

Last week I wrote about how 8 million GitHub profiles were leaked from GeekedIn's MongoDB [https://www.troyhunt.com/8-million-github-profiles-were-leaked-from-geekedins-mongodb-heres-how-to-see-yours/] which is always a risk when you expose a DB with no auth whatsoever! For any other website, this would be a typical data breach scenario in that info that was meant to remain private was made public. However, GeekedIn lost publicly accessible GitHub data so whilst yes, there was a breach, no, it...