Have I Been Pwned

Today, almost one year after the release of version 5 [https://www.troyhunt.com/pwned-passwords-version-5/], I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964‬ (just over 3%). As with previous releases, I've made the call to push the data now simply because there were enough new records to justify the overhead in doing so. Also as with previous releases, version 6 not on...

Pwned again. Damn. That's me who's pwned again because my personal data has just turned up in yet another incident from a source I can't attribute. Less than 3 weeks ago I wrote about The Unattributable "db8151dd" Data Breach [https://www.troyhunt.com/the-unattributable-db8151dd-data-breach/] which, after posting that blog post and a sample of my own data, the community quickly attributed to Covve [https://covve.com/]. My hope is that this blog post helps myself and the 69 million other people...

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death [https://en.wikipedia.org/wiki/Death_of_George_Floyd] is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: > I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with...

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know: Back in Feb, Dehashed [https://www.dehashed.com/]reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,61...

Hot on the heels of onboarding the USA government to Have I Been Pwned last month [https://www.troyhunt.com/welcoming-the-usa-government-to-have-i-been-pwned/], I'm very happy to welcome another national government - Iceland! As of today, Iceland's National Computer Security Incident Response Team (CERT-IS [https://www.cert.is/]), now has access to the full gamut of their gov domains for both on-demand querying and ongoing monitoring. As with the USA and Iceland, I expect to continue onboarding...

Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive not...

Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of recor...

Since launching version 2 of Pwned Passwords with the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). All sorts of organisations are employing the service to keep passwords from previous data breaches from being used again and subsequently, putting their customers at heightened risk. For example, this just a...

This is going to be a lengthy blog post so let me use this opening paragraph as a summary of where Project Svalbard is at [https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/]: Have I Been Pwned is no longer being sold and I will continue running it independently. After 11 months of a very intensive process culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the...

Back in 2016, I wrote a blog post about the Martin Lewis Money Show featuring HIBP [https://www.troyhunt.com/brief-lessons-on-handling-huge-traffic-spikes/] and how it drove an unprecedented spike of traffic to the service, ultimately knocking it offline for a brief period of time. They'd given me a heads up as apparently, that's what the program has a habit of doing: > I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov...