Have I Been Pwned

Early last year, I announced that I was making HIBP data on government domains for the UK and Australia freely accessible to them via searches of their respective TLDs [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] . The Spanish government followed a few months later [https://www.troyhunt.com/welcoming-the-spanish-government-to-have-i-been-pwned/] with each getting unbridled access to search their own domains via an authent...

Back in 2013, I was beginning to get the sense that data breaches were becoming a big thing. The prevalence of them seemed to be really ramping up as was the impact they were having on those of us that found ourselves in them, myself included. Increasingly, I was writing about what I thought was a pretty fascinating segment of the infosec industry; password reuse across Gawker and Twitter resulting in a breach of the former sending Acai berry spam via the latter [https://www.troyhunt.com/why-you...

A race to the bottom is a market condition in which there is a surplus of a commodity relative to the demand for it. Often the term is used to describe labour conditions (workers versus jobs), and in simple supply and demand terms, once there's so much of something all vying for the attention of those consuming it, the value of it plummets. On reflecting over the last 3 and a half weeks, this is where we seem to be with credential stuffing lists today and I want to use this blog post to explain...

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper. Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a...

So today is Have I Been Pwned's [https://www.troyhunt.com/introducing-have-i-been-pwned/] (HIBP's) 5th birthday. I started this project out of equal parts community service and curiosity and then somehow, over the last 5 years it's grown into something massive; hundreds of thousands of unique sessions a day, millions of subscribers, working with governments around the world and even fronting up to testify in Congress. I'd love to say I had the foresight to see all this coming but I didn't. Not...

For the most part, Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) runs very smoothly, especially given how cheaply I run many parts of the service for [https://www.troyhunt.com/serverless-to-the-max-doing-big-things-for-small-dollars-with-cloudflare-workers-and-azure-functions/] . Occasionally though, I screw up and get something wrong that interrupts the otherwise slick operation and results in some outage. Last weekend was one such occasion and I want to explain what I got wrong, how y...

This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned [https://haveibeenpwned.com] (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe [https://kayo.moe/] is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which a...

As time has gone by, one of the things I've enjoyed the most in running Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) is seeing how far I could make the dollars stretch. How big can it go whilst at the same time, running it on a shoestring? I keep finding new ways of optimising cost and the two most significant contributions to that since launching almost 5 years ago have come via serverless technology provided by 2 of my favourite tech companies: Cloudflare and Microsoft. By way of (v...

I'm still pretty amazed at how much traction Pwned Passwords [https://haveibeenpwned.com/Passwords] has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice [https://www.troyhunt.com/pwned-passwords-in-practice-real-world-examples-of-blocking-the-worst-passwords/] which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows. Since that time, another big name has come on board too [https://blog.github.com/2018...

Two of my favourite developer things these days are Azure Functions [https://www.troyhunt.com/azure-functions-in-practice/] and Cloudflare Workers [https://scotthelme.co.uk/cloudflare-workers-report-uri/]. They're both "serverless" in that rather than running on your own slice of infrastructure, that concept is abstracted away and you get to focus on just code executions rather than the logical bounds of the server it runs on. So for example, when you have an Azure function and you deploy it und...