Have I Been Pwned

We're now going on almost 3 years since I introduced the Have I been pwned (HIBP) API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/]. In fact it was one of the first things I did after creating HIBP in the first place because I wanted to make the data as accessible as possible and create an ecosystem of third party apps. However, over time I've also had to deal with the API being used in ways I never intended. For example, I recently introduced the rate limit [https://www.tro...

I wrote recently about how Have I been pwned (HIBP) had an API rate limit introduced and then brought forward [https://www.troyhunt.com/content-images-2016-09-a-one-week-traffic-snapshot-1-png/] which was in part a response to large volumes of requests against the API. It was causing sudden ramp ups of traffic that Azure couldn't scale fast enough to meet and was also hitting my hip pocket as I paid for the underlying infrastructure to scale out in response. By limiting requests to one per every...

Three weeks ago today, I wrote about implementing a rate limit on the Have I been pwned (HIBP) API [https://www.troyhunt.com/the-have-i-been-pwned-api-rate-limiting-and-commercial-use/] and the original plan was to have it begin a week from today. I want to talk more about why the rate limit was required and why I've had to bring it forward to today. As I explained in the original post, there were multiple reasons for the rate limit including high volumes of API calls impacting system performan...

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked [http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts] . Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Very shortly after, a supporter of Have I been pwned [https://haveibeenpwned.com] (HIBP) sent over the data which o...

It's almost 3 years ago now that I launched the Have I been pwned (HIBP) API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/] and made it free and unlimited. No dollars, no rate limits just query it at will and results not flagged as sensitive [https://haveibeenpwned.com/FAQs#SensitiveBreach] will be returned. Since then it's been called, well, I don't know how many times but at the least, it's well into the hundreds of millions if not billions. I've always been pretty clear on...

This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question. You forgot you signed up Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leav...

Data breaches can be shady business. There's obviously the issue of sites being hacked in the first place which is not just shady, but downright illegal. Then there's the way this information is redistributed, the anonymous identities that deal with it and the various motives people have for bringing this data into the public eye. One of the constant challenges with the spread of data breaches is establishing what is indeed data hacked out of an organisation versus data from another source. We'...

Let me start with this headline [http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6]: Other headlines went on to suggest that you need to change your password right now [http://www.iflscience.com/technology/millions-passwords-hotmail-gmail-and-yahoo-have-been-stolen] if you're using the likes of Hotmail or Gmail, among others. The strong implication across the stories I've read is that these mail providers have been hacked and now there's a mega-list of stolen accounts floating...

I certainly didn't expect it would go this far when I built Have I been pwned [https://haveibeenpwned.com/] (HIBP) a few years ago, but I've just loaded the 100th data breach into the system. This brings it to a grand total of 336,724,945 breached accounts that have been loaded in over the years, another figure I honestly didn't expect to see. But there's something a bit different about this 100th data breach - it was provided to me by the site that was breached themselves. It was self-submitte...

It’s now going on two and a half years since I launched Have I been pwned [https://haveibeenpwned.com/] (HIBP) and I’m continually amazed by how much has happened in that time. It started out with a “mere” 152M breached records and has now more than doubled in volume, I’ve added an API, notifications, domain searches, pastes and a heap of other things both visible to the public and behind the scenes. It’s also gone from a hobby project which I thought only a few curious technology people would v...