Remember when OPM got breached last year [https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach]? There was a lot of excitement in various parts of the world (namely the US) because here we had a government department (Office of Personnel Management), and they’d just lost 21.5 million records! These records included such sensitive data as names, dates of birth and addresses and by any reasonable measure, it was serious – that’s almost 7% of the country’s population! Yet some...

A little while back, I wrote about how Lenovo were sending me some things as part of their Insiders program [https://www.troyhunt.com/2016/02/kids-and-code-simple-programming-on.html] which meant getting to use a number of machines I probably wouldn’t have thought twice about otherwise. The Yoga 900 in that blog post, for example, is not something I would have normally considered for myself as I like a physically larger, gruntier machine yet it’s turned out to be one of the best laptops I’ve eve...

It’s now going on two and a half years since I launched Have I been pwned [https://haveibeenpwned.com/] (HIBP) and I’m continually amazed by how much has happened in that time. It started out with a “mere” 152M breached records and has now more than doubled in volume, I’ve added an API, notifications, domain searches, pastes and a heap of other things both visible to the public and behind the scenes. It’s also gone from a hobby project which I thought only a few curious technology people would v...

Each year since 2011, on April first (yeah, I know…), I’ve looked for one of these to land in my inbox and fortunately, this year didn’t disappoint: The MVP program has been an enormously fulfilling thing to be a part of these last five years. It’s been great for the connections I’ve made, the access to folks in Microsoft and the community engagements it’s lead to, particularly in my post-corporate life as an independent. Now yes, I’ve been misquoted as “Troy Hunt from Microsoft” many, many t...

I love this Google Play store review of the NissanConnect app which had such terrible security issues recently [https://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html]: > I may print and frame this: pic.twitter.com/P0hu7E08GQ [https://t.co/P0hu7E08GQ] — Troy Hunt (@troyhunt) March 17, 2016 [https://twitter.com/troyhunt/status/710604327186931712] I join a long line of stupid security folks who’ve messed things up for other people. Sometimes people have been unable to purc...

I’ve just launched my latest Pluralsight course titled Ethical Hacking, Denial of Service [https://app.pluralsight.com/library/courses/ethical-hacking-denial-service/table-of-contents] but before I explain what’s in it, let’s kick off with some trivia: DDoS attacks have increased massively in size in recent years: This is from Arbor Networks’ latest Worldwide Infrastructure Security Report [https://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf] and that was current in October wh...

Cross site request forgery is one of those attacks which remains enormously effective yet is frequently misunderstood. I’ve been running a bunch of security workshops for web developers around the globe recently and this is one of the topics we cover that often results in blank stares when I first ask about it. It usually unfolds that the developers have multiple resources at risk of a CSRF attack and if it’s not a classic web form style resource, then it’s frequently an API somewhere (you’re pa...

Working on Have I been pwned [https://haveibeenpwned.com/] (HIBP), I come across a lot of interesting things. Interesting people dealing in data breaches, interesting vulnerabilities in systems which have been compromised and interesting requests from people wanting the data. In fact, I was getting so many requests for data I ended up writing No, I cannot share data breaches with you [https://www.troyhunt.com/2015/10/no-i-cannot-share-data-breaches-with-you.html] where I very explicitly laid out...

I get a lot of people popping up with data breaches for Have I been pwned [https://haveibeenpwned.com/] (HIBP). There’s an interesting story in that itself actually, one I must get around to writing in the future as folks come from all sorts of different backgrounds and offer up data they’ve come across in various locations. Recently someone sent me a list of various data breaches they’d obtained, including this one: > InstantCheckmate 2015 - 80M entries On the surface of it, that’s a phenom...

I actually thought that once I didn’t bother connecting a landline after moving house recently, it would be the end of scam calls. I used to get them all the time – the ones where they’d call up and say you had viruses on your PC – and my recordings of those turned out to be rather popular [https://www.youtube.com/watch?v=kjKjyMKj3n4]. But today I had another call, although this one went a bit differently. First off, I missed a call in the morning from a Sydney landline number which was 02 6064...