Have I Been Pwned

In a continued bid to make breach data available to the government departments around the world tasked with protecting their citizens, I'm very happy to welcome the first country onto Have I Been Pwned [https://haveibeenpwned.com/] for 2020 - Denmark! The Danish Centre for Cyber Security [https://fe-ddis.dk/cfcs/Pages/cfcs.aspx] (CFCS) joins the existing 7 governments who have free and unbridled API access to query and monitor their gov domains. As the year progresses, I'll keep onboarding add...

When is data "public"? And what does "public" even mean? Does it mean it's merely visible to the public? Or does it mean the public can do anything they like with it? This discussion comes up time and time again as it did with the huge leak of PDL data only last month [https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/] . For the most part, the impacted data in this incident came from LinkedIn, a service where by design we (including myself) publish perso...

I recently had the pleasure of spending a few days in Switzerland, firstly in Geneva visiting (and speaking at [https://webcast.web.cern.ch/event/683/camera-slides]) CERN followed by a visit to the nation's capital, Bern. There I spent some time with a delegation of the National Cybersecurity Centre discussing the challenges they face and where HIBP can play a role. Continuing the march forward to provide governments with better access to their departments' data exposed in breaches [https://www....

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself. I've become more familiar with this sector over recent years due to the frequency with which it's been suffering data breaches that have ultimately landed in my inbox. For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017 [https://www.zdnet.com/article/millions-of-records-leaked-from-huge-corp...

Over the last couple of years, I've been increasingly providing governments with better access to their departments' data exposed in breaches [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] by giving them free and unfettered API access to their domains. As I've been travelling around the world this year, I've been carving out time to spend with governments to better understand the infosec challenges they're facing and the r...

Over the last year and a bit I've been working to make more data in HIBP freely available to governments around the world [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] that want to monitor their own exposure in data breaches. Like the rest of us, governments regularly rely on services that fall victim to attacks resulting in data being disclosed and just like the commercial organisations monitoring domains on HIBP, unders...

The very first feature I added to Have I Been Pwned after I launched it back in December 2013 was the public API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/]. My thinking at the time was that it would make the data more easily accessible to more people to go and do awesome things; build mobile clients, integrate into security tools and surface more information to more people to enable them to do positive and constructive things with the data. I highlighted 3 really important...

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era [https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/]. This wasn't so much an original work on my behalf as it was a consolidation of advice from the likes of NIST, the NCSC and Microsoft about how we should be doing authentication today. I love that piece because so much of it flies in the face of traditional thinking about passwords, for example: 1. Do...

Early last year, I announced that I was making HIBP data on government domains for the UK and Australia freely accessible to them via searches of their respective TLDs [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] . The Spanish government followed a few months later [https://www.troyhunt.com/welcoming-the-spanish-government-to-have-i-been-pwned/] with each getting unbridled access to search their own domains via an authent...

Back in 2013, I was beginning to get the sense that data breaches were becoming a big thing. The prevalence of them seemed to be really ramping up as was the impact they were having on those of us that found ourselves in them, myself included. Increasingly, I was writing about what I thought was a pretty fascinating segment of the infosec industry; password reuse across Gawker and Twitter resulting in a breach of the former sending Acai berry spam via the latter [https://www.troyhunt.com/why-you...