Mastodon

Have I Been Pwned

A 195-post collection

Random thoughts on the use of breach data for protection of accounts

Someone sent me an email today which essentially boiled down to this: > Hey, Microsoft's Azure Active Directory alerted me to leaked credentials but won't give me any details so there's very little I can do about it This is a really interesting scenario and it relates to the way Microsoft reports risk events [https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-risk-events#leaked-credentials] , one of which is the discovery of leaked credentials that match those...

I just added another 140 data breaches to Have I been pwned

There's a seemingly endless flood of data breaches these days. Pretty much every day I get sent dumps from somewhere or other, usually websites I've never heard of and often dating back to compromises from years ago. They vary in size from thousands of accounts to many millions - and this is just the ones I've looked at. In short, there's way more data than I have time to process. Occasionally though, an incident floats to the top of the others which is what's happened over the last few days. T...

One million subscribers later, here's the state of Have I been pwned

I hit a bit of a milestone last week with HIBP which I thought deserved a little celebration: > Sometime today, @haveibeenpwned [https://twitter.com/haveibeenpwned] broke through the 1M verified subscriber mark. Having a quiet champagne alone before flying home ?? pic.twitter.com/whIss3OXeO [https://t.co/whIss3OXeO] — Troy Hunt (@troyhunt) February 2, 2017 [https://twitter.com/troyhunt/status/827214872119226368] A million verified subscribers (that is they've received a welcome email and click...

Introducing "fabricated" data breaches to Have I been pwned

I've written before about how I verify data breaches [https://www.troyhunt.com/heres-how-i-verify-data-breaches/] and discussed it at length in various conference talks. I take verification very seriously because misattribution can have serious consequences on the company involved, those in the alleged breach and indeed, on myself as well. To give you a sense of how much effort can go into verification, last month I wrote about a data breach investigation blow by blow [https://www.troyhunt.com/a...

Thoughts on the LeakedSource take down

Yesterday, the website known as "LeakedSource" went offline. It's still early days and there's not yet an official word on exactly what happened, but the unfolding story seems to be as follows [http://www.zdnet.com/article/breach-site-leakedsource-raided-by-feds/]: > Yeah you heard it here first. Sorry for all you kids who don't have all your own Databases. Leakedsource is down forever and won't be coming back. Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leake...

A data breach investigation blow-by-blow

Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned [https://haveibeenpwned.com] (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source. This is exactly the process I go through, unedited and at the time of writing, with a completely unknown outcome. Warning: This one...

The Ethereum forum was hacked and they've voluntarily submitted the data to Have I been pwned

The title says it all and the details are on their blog [https://blog.ethereum.org/2016/12/19/security-alert-12192016-ethereum-org-forums-database-compromised/] , but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April [https://www.troyhunt.com/100-data-breaches-later-have-i-been-pwned-gets-its-first-self-submission/] ), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make th...

Journey to an extended validation certificate

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the...

How Chrome's buggy content security policy implementation cost me money

Content security policies [https://www.troyhunt.com/understanding-csp-the-video-tutorial-edition/] (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/] yet a curse because they can also do screwy things like break your site [https://www.troyhunt.com/how-to-break-your-site-with-content/]. Now in fairness, the breaking bit linked to t...

Here's 1.4 billion records from Have I been pwned for you to analyse

I get a lot of requests from people for data from Have I been pwned [https://haveibeenpwned.com/] (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been "no", I'm not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you [https://www.t...