Have I Been Pwned

Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of recor...

Since launching version 2 of Pwned Passwords with the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). All sorts of organisations are employing the service to keep passwords from previous data breaches from being used again and subsequently, putting their customers at heightened risk. For example, this just a...

This is going to be a lengthy blog post so let me use this opening paragraph as a summary of where Project Svalbard is at [https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/]: Have I Been Pwned is no longer being sold and I will continue running it independently. After 11 months of a very intensive process culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the...

Back in 2016, I wrote a blog post about the Martin Lewis Money Show featuring HIBP [https://www.troyhunt.com/brief-lessons-on-handling-huge-traffic-spikes/] and how it drove an unprecedented spike of traffic to the service, ultimately knocking it offline for a brief period of time. They'd given me a heads up as apparently, that's what the program has a habit of doing: > I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov...

I don't know exactly why the recent uptick, but lately I've had a bunch of people ask me if I've tried the Brave web browser [https://brave.com/tro914]. Why they'd ask me that is much more obvious: Brave is a privacy-focused browser that nukes ads and trackers. It also has some cool built-in stuff like the ability to create a new private browsing window in Tor rather than just your classic incognito window that might ditch all your cookies and browsing history but still connect to the internet...

In a continued bid to make breach data available to the government departments around the world tasked with protecting their citizens, I'm very happy to welcome the first country onto Have I Been Pwned [https://haveibeenpwned.com/] for 2020 - Denmark! The Danish Centre for Cyber Security [https://fe-ddis.dk/cfcs/Pages/cfcs.aspx] (CFCS) joins the existing 7 governments who have free and unbridled API access to query and monitor their gov domains. As the year progresses, I'll keep onboarding add...

When is data "public"? And what does "public" even mean? Does it mean it's merely visible to the public? Or does it mean the public can do anything they like with it? This discussion comes up time and time again as it did with the huge leak of PDL data only last month [https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/] . For the most part, the impacted data in this incident came from LinkedIn, a service where by design we (including myself) publish perso...

I recently had the pleasure of spending a few days in Switzerland, firstly in Geneva visiting (and speaking at [https://webcast.web.cern.ch/event/683/camera-slides]) CERN followed by a visit to the nation's capital, Bern. There I spent some time with a delegation of the National Cybersecurity Centre discussing the challenges they face and where HIBP can play a role. Continuing the march forward to provide governments with better access to their departments' data exposed in breaches [https://www....

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself. I've become more familiar with this sector over recent years due to the frequency with which it's been suffering data breaches that have ultimately landed in my inbox. For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017 [https://www.zdnet.com/article/millions-of-records-leaked-from-huge-corp...

Over the last couple of years, I've been increasingly providing governments with better access to their departments' data exposed in breaches [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] by giving them free and unfettered API access to their domains. As I've been travelling around the world this year, I've been carving out time to spend with governments to better understand the infosec challenges they're facing and the r...