Have I Been Pwned

I recently had the pleasure of spending a few days in Switzerland, firstly in Geneva visiting (and speaking at [https://webcast.web.cern.ch/event/683/camera-slides]) CERN followed by a visit to the nation's capital, Bern. There I spent some time with a delegation of the National Cybersecurity Centre discussing the challenges they face and where HIBP can play a role. Continuing the march forward to provide governments with better access to their departments' data exposed in breaches [https://www....

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself. I've become more familiar with this sector over recent years due to the frequency with which it's been suffering data breaches that have ultimately landed in my inbox. For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017 [https://www.zdnet.com/article/millions-of-records-leaked-from-huge-corp...

Over the last couple of years, I've been increasingly providing governments with better access to their departments' data exposed in breaches [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] by giving them free and unfettered API access to their domains. As I've been travelling around the world this year, I've been carving out time to spend with governments to better understand the infosec challenges they're facing and the r...

Over the last year and a bit I've been working to make more data in HIBP freely available to governments around the world [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] that want to monitor their own exposure in data breaches. Like the rest of us, governments regularly rely on services that fall victim to attacks resulting in data being disclosed and just like the commercial organisations monitoring domains on HIBP, unders...

The very first feature I added to Have I Been Pwned after I launched it back in December 2013 was the public API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/]. My thinking at the time was that it would make the data more easily accessible to more people to go and do awesome things; build mobile clients, integrate into security tools and surface more information to more people to enable them to do positive and constructive things with the data. I highlighted 3 really important...

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era [https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/]. This wasn't so much an original work on my behalf as it was a consolidation of advice from the likes of NIST, the NCSC and Microsoft about how we should be doing authentication today. I love that piece because so much of it flies in the face of traditional thinking about passwords, for example: 1. Do...

Early last year, I announced that I was making HIBP data on government domains for the UK and Australia freely accessible to them via searches of their respective TLDs [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] . The Spanish government followed a few months later [https://www.troyhunt.com/welcoming-the-spanish-government-to-have-i-been-pwned/] with each getting unbridled access to search their own domains via an authent...

Back in 2013, I was beginning to get the sense that data breaches were becoming a big thing. The prevalence of them seemed to be really ramping up as was the impact they were having on those of us that found ourselves in them, myself included. Increasingly, I was writing about what I thought was a pretty fascinating segment of the infosec industry; password reuse across Gawker and Twitter resulting in a breach of the former sending Acai berry spam via the latter [https://www.troyhunt.com/why-you...

A race to the bottom is a market condition in which there is a surplus of a commodity relative to the demand for it. Often the term is used to describe labour conditions (workers versus jobs), and in simple supply and demand terms, once there's so much of something all vying for the attention of those consuming it, the value of it plummets. On reflecting over the last 3 and a half weeks, this is where we seem to be with credential stuffing lists today and I want to use this blog post to explain...

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper. Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a...