Have I Been Pwned

What if I told you... that you could run a website from behind Cloudflare and only have 385 daily requests miss their cache and go through to the origin service? No biggy, unless... that was out of a total of more than 166M requests in the same period: Yep, we just hit "five nines" of cache hit ratio on Pwned Passwords being 99.999%. Actually, it was 99.9998% but we're at the point now where that's just splitting hairs, let's talk about how we've managed to only have two requests in a million...

I found myself going down a previously unexplored rabbit hole recently, or more specifically, what I thought was "a" rabbit hole but in actual fact was an ever-expanding series of them that led me to what I refer to in the title of this post as "6 rabbits deep". It's a tale of firewalls, APIs and sifting through layers and layers of different services to sniff out the root cause of something that seemed very benign, but actually turned out to be highly impactful. Let's go find the rabbits! The...

I think I've pretty much captured it all in the title of this post but as of about a day ago, Pwned Passwords now has full parity between the SHA-1 hashes that have been there since day 1 and NTLM hashes. We always had both as a downloadable corpus but as of just over a year ago with the introduction of the FBI data feed, we stopped maintaining downloadable behemoths of data. A little later, we added the downloader to make it easy to pull down the latest and greatest complete data set directly...

It's fascinating to see how creative people can get with breached data. Of course there's all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone else's system. When I first built Have I Been Pwned (HIBP), my mantra was to "do good things after bad things happen". And arguably, it has, largely by enabling individuals and organisations to learn of their own personal exposure in breaches. However, the use cases go...

If you find your name and home address posted online, how do you know where it came from? Let's assume there's no further context given, it's just your legitimate personal data and it also includes your phone number, email address... and over 400 other fields of data. Where on earth did it come from? Now, imagine it's not just your record, but it's 246 million records. Welcome to my world. This is a story about a massive corpus of data circulating widely within the hacking community and misattr...

A couple of weeks ago I wrote about some big changes afoot for Have I Been Pwned [https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/] (HIBP), namely the introduction of annual billing and new rate limits. Today, it's finally here! These are two of the most eagerly awaited, most requested features on HIBP's UserVoice [https://haveibeenpwned.uservoice.com/] so it's great to see them finally knocked off after years of waiting. In implementing all this, there are changes to...

I've been investing a heap of time into Have I Been Pwned (HIBP) lately, ranging from all the usual stuff (namely trawling through masses of data breaches) to all new stuff, in particular expanding and enhancing the public API [https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/]. The API is actually pretty simple: plug in an email address, get a result, and that's a very clearly documented process [https://haveibeenpwned.com/API/v3]. But where things get more nuanced is...

Just over 3 years ago now, I sat down at a makeshift desk (ok, so it was a kitchen table) in an Airbnb in Olso and built the authenticated API for Have I Been Pwned [https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/] (HIBP). As I explained at the time, the primary goal was to combat abuse of the service and by adding the need to supply a credit card, my theory was that the bad guys would be very reluctant to, well, be bad guys. The theory checked out, and now with the benefi...

Continuing the rollout of Have I Been Pwned (HIBP) to national governments around the world, today I'm very happy to welcome Poland to the service! The Polish CSIRT GOV is now the 34th onboard the service and has free and open access to APIs allowing them to query their government domains. Seeing the ongoing uptake of governments using HIBP to do useful things in the wake of data breaches is enormously fulfilling and I look forward to welcoming many more national CSIRTs in the future....

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature [https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/] used by Mozilla, 1Password and a handful of other paying subscribers. It works beautifully; it's ridi...