Have I Been Pwned

Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned [https://haveibeenpwned.com] (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source. This is exactly the process I go through, unedited and at the time of writing, with a completely unknown outcome. Warning: This one...

The title says it all and the details are on their blog [https://blog.ethereum.org/2016/12/19/security-alert-12192016-ethereum-org-forums-database-compromised/] , but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April [https://www.troyhunt.com/100-data-breaches-later-have-i-been-pwned-gets-its-first-self-submission/] ), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make th...

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the...

Content security policies [https://www.troyhunt.com/understanding-csp-the-video-tutorial-edition/] (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/] yet a curse because they can also do screwy things like break your site [https://www.troyhunt.com/how-to-break-your-site-with-content/]. Now in fairness, the breaking bit linked to t...

I get a lot of requests from people for data from Have I been pwned [https://haveibeenpwned.com/] (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been "no", I'm not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you [https://www.t...

Earlier today, Have I been pwned [https://haveibeenpwned.com/] (HIBP) appeared on a British TV show called The Martin Lewis Money Show [http://www.moneysavingexpert.com/]. A producer had contacted me about this last week: > I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov, 8pm, ITV) saying it's a good way to check if your data has been compromised. I thought it best to let you know in case you need to put extra resour...

It's hard to believe it, but Sunday 4 December will mark 3 years since I launched Have I been pwned [https://www.troyhunt.com/introducing-have-i-been-pwned/]. A huge amount has happened in that time, not just for HIBP but for the industry and indeed for me personally. I certainly didn't expect it to become what it is, not in terms of the amount of data or the number of people visiting and subscribing and certainly not the media attention it's drawn from all over the world. That's posed some real...

One of the things I'm finding with running Have I been pwned [https://haveibeenpwned.com/] (HIBP) is that over time, my approach is changing. Nothing dramatic thus far, usually just what I'd call "organic" corrections in direction and usually in response to things I've learned, industry events or changes in the way people are using the service. For example, the Ashley Madison hack led to the concept of a sensitive breach [https://www.troyhunt.com/heres-how-im-going-to-handle-ashley/] which meant...

Let me make it crystal clear in the opening paragraph: this incident is not about any sort of security vulnerability on GitHub's behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service. My data. Probably your data if you're in the software industry. Millions of people's data. On Saturday, a character in the data trading scene popped up and sent me a 594MB file called geekedin.net_mirr...

I have multiple Yahoo data breaches. I have a Twitter data breach. I have Facebook data breaches. I know they are data breaches from those sources because people told me they are, ergo, they're data breaches. Except they're not - they're all fake. Problem is though, fake data breaches don't make for a very good headline nor do they give you something worth trading; for many people, it's not in their best interests to establish what's fake and what's not. Earlier this year I wrote about how I ve...