Mastodon

Have I Been Pwned

A 197-post collection

The Dropbox hack is real

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked [http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts] . Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Very shortly after, a supporter of Have I been pwned [https://haveibeenpwned.com] (HIBP) sent over the data which o...

The "Have I been pwned" API, rate limiting and commercial use

It's almost 3 years ago now that I launched the Have I been pwned (HIBP) API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/] and made it free and unlimited. No dollars, no rate limits just query it at will and results not flagged as sensitive [https://haveibeenpwned.com/FAQs#SensitiveBreach] will be returned. Since then it's been called, well, I don't know how many times but at the least, it's well into the hundreds of millions if not billions. I've always been pretty clear on...

Why am I in a data breach for a site I never signed up to?

This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question. You forgot you signed up Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leav...

Introducing unverified breaches to Have I been pwned

Data breaches can be shady business. There's obviously the issue of sites being hacked in the first place which is not just shady, but downright illegal. Then there's the way this information is redistributed, the anonymous identities that deal with it and the various motives people have for bringing this data into the public eye. One of the constant challenges with the spread of data breaches is establishing what is indeed data hacked out of an organisation versus data from another source. We'...

Here's how I verify data breaches

Let me start with this headline [http://www.reuters.com/article/us-cyber-passwords-idUSKCN0XV1I6]: Other headlines went on to suggest that you need to change your password right now [http://www.iflscience.com/technology/millions-passwords-hotmail-gmail-and-yahoo-have-been-stolen] if you're using the likes of Hotmail or Gmail, among others. The strong implication across the stories I've read is that these mail providers have been hacked and now there's a mega-list of stolen accounts floating...

100 data breaches later, Have I been pwned gets its first self-submission

I certainly didn't expect it would go this far when I built Have I been pwned [https://haveibeenpwned.com/] (HIBP) a few years ago, but I've just loaded the 100th data breach into the system. This brings it to a grand total of 336,724,945 breached accounts that have been loaded in over the years, another figure I honestly didn't expect to see. But there's something a bit different about this 100th data breach - it was provided to me by the site that was breached themselves. It was self-submitte...

Have I been pwned, opting out, VTech and general privacy things

It’s now going on two and a half years since I launched Have I been pwned [https://haveibeenpwned.com/] (HIBP) and I’m continually amazed by how much has happened in that time. It started out with a “mere” 152M breached records and has now more than doubled in volume, I’ve added an API, notifications, domain searches, pastes and a heap of other things both visible to the public and behind the scenes. It’s also gone from a hobby project which I thought only a few curious technology people would v...

Request for feedback: Organisations using “Have I been pwned” data

Working on Have I been pwned [https://haveibeenpwned.com/] (HIBP), I come across a lot of interesting things. Interesting people dealing in data breaches, interesting vulnerabilities in systems which have been compromised and interesting requests from people wanting the data. In fact, I was getting so many requests for data I ended up writing No, I cannot share data breaches with you [https://www.troyhunt.com/2015/10/no-i-cannot-share-data-breaches-with-you.html] where I very explicitly laid out...

How your data is collected and commoditised via “free” online services

I get a lot of people popping up with data breaches for Have I been pwned [https://haveibeenpwned.com/] (HIBP). There’s an interesting story in that itself actually, one I must get around to writing in the future as folks come from all sorts of different backgrounds and offer up data they’ve come across in various locations. Recently someone sent me a list of various data breaches they’d obtained, including this one: > InstantCheckmate 2015 - 80M entries On the surface of it, that’s a phenom...

Breaches, “Have I been pwned?”, password reuse, 1Password and good deeds

I spend a lot of time on Have I been pwned [https://haveibeenpwned.com/] (HIBP) which consists of both maintaining and building out the software with new features as well as obviously sourcing new data for it on a regular basis. I make it freely available to the community and some time ago at the suggestion of some of those who’d found it useful, I stood up a donations page [https://haveibeenpwned.com/Donate]. Whilst the service is cheap to run courtesy of Azure being pretty cost efficient, it’s...