Have I Been Pwned

Following in the footsteps of many other national governments before them [https://www.troyhunt.com/tag/government/], I'm very happy to welcome the Canadian Centre for Cyber Security [https://cyber.gc.ca/en/] to Have I Been Pwned. The Canadian Centre for Cyber Security now has full and free access to query all Canadian federal government domains across both past and future breaches. Canada's inclusion in the service brings the total to 11 federal governments across North America, Europe and Aus...

Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how. HIBP is a Community Project I've been giving a great deal of thought to how I want this project to evolve lately, especially in the wake of the M&A process that...

I love beer. This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd [https://untappd.com/] account, logging my beer experiences as I (used to 😢) travel around the world partaking in local beverages. When I received an email from someone over that way who happened to be a happy Have I Been Pwned (HIBP) user and wanted some cyber-assistance, I was intrigued. You'll never believe what happened next... The tl;dr is that someone with a BeerAdvoca...

Nearly 7 years ago now, I started a little pet project to index data breaches and make them searchable [https://www.troyhunt.com/introducing-have-i-been-pwned/]. I called it "Have I Been Pwned" and I loaded in 154M breached records which to my mind, was rather sizeable. Time went by, the breaches continued and the numbers rose. A few years later in June 2016 on stage at NDC Oslo, I pushed HIBP through 1B records: > Whoa, we're there, past a billion! There was much applause which I countered wit...

Today, almost one year after the release of version 5 [https://www.troyhunt.com/pwned-passwords-version-5/], I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964‬ (just over 3%). As with previous releases, I've made the call to push the data now simply because there were enough new records to justify the overhead in doing so. Also as with previous releases, version 6 not on...

Pwned again. Damn. That's me who's pwned again because my personal data has just turned up in yet another incident from a source I can't attribute. Less than 3 weeks ago I wrote about The Unattributable "db8151dd" Data Breach [https://www.troyhunt.com/the-unattributable-db8151dd-data-breach/] which, after posting that blog post and a sample of my own data, the community quickly attributed to Covve [https://covve.com/]. My hope is that this blog post helps myself and the 69 million other people...

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death [https://en.wikipedia.org/wiki/Death_of_George_Floyd] is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: > I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with...

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know: Back in Feb, Dehashed [https://www.dehashed.com/]reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,61...

Hot on the heels of onboarding the USA government to Have I Been Pwned last month [https://www.troyhunt.com/welcoming-the-usa-government-to-have-i-been-pwned/], I'm very happy to welcome another national government - Iceland! As of today, Iceland's National Computer Security Incident Response Team (CERT-IS [https://www.cert.is/]), now has access to the full gamut of their gov domains for both on-demand querying and ongoing monitoring. As with the USA and Iceland, I expect to continue onboarding...

Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive not...