Mastodon

Have your customers been pwned? Would you like to know?

For the past year and a bit I’ve been building out features on Have I been pwned? (HIBP) in response to things I think would be awesome and things I’m asked for. I’m constantly surprised at the ways people have found to use the data for good, which is a nice twist given that the data normally comes from very unpleasant circumstances. For some ideas on how the data has been used, have a look at the API consumers page: various mobile apps, security tools, an IFTTT recipe and even a browser plugin. All of these plug into the existing freely available API, the one with nothing to get in the way such as auth or rate limits or anything else that poses a barrier to just getting in there and using it, like money! It’s open and it’s free.

But there’s much more been going on to make this data more useful to people that can do good things with it. Almost a year ago to the day, I released the domain search feature which allows anyone to verify their ownership of a domain and then be notified when anyone with an email on that domain is pwned. It’s been great for people who manage their own domains (i.e. they create multiple emails @myname.com) and also for organisations that want to get alerts when their staff get pwned which is particularly useful given the potential for subsequent phishing attacks and direct impact to the organisation. There have been thousands of domain notifications already sent for both breaches and pastes that have impacted domains ranging from those managed by individuals for their family members right up to a number of Fortune 100 orgs with 100,000+ staff. It’s all working rather nicely :)

But there’s another really interesting use case for the service and that’s supporting people with dozens or even hundreds of domains they want to monitor. This is not something that’s really feasible to setup one by one; the existing verification process is fine for a few, but it’s not only laborious for large numbers, sometimes it’s not even possible. To that effect, over the last year I’ve had a number of people come to me and ask for a bulk load of domains. For example, a major bank who has assets spread out across many brands with unique domains. A telco who provides email services across dozens of domains. A financial services company that offers products under different names. And a really interesting one I can actually share with you publicly: XCentral.

XCentral is an IT shop that has a bunch of offerings around infrastructure, software and consultation services. As such, they have a bunch of customers they support and help to make their businesses successful when it comes to their IT bits. Phil Patelis, their Managing Director, reached out to me recently with the scenario described above – he had a heap of domains he wanted to monitor and manually verifying them all wasn’t practical. As with the other organisations described earlier, I loaded them all in directly and they’re now getting notifications flow through when accounts on those domains appear in a breach or a paste. What I found most interesting though was the way they’re then handling that data and Phil’s described it today in a blog post on their site, Pastes, Email Breaches & Have I Been Pwned?

XCentral are receiving notifications via a support email address which then raises a ticket in their internal issue management system. When that occurs, they can then assess the nature of the breach or paste, the extent of the impact to the customer and then deal with it appropriately. This approach is a little unique as against the others described earlier as rather than using it to monitor their own organisation, it’s a value-add service to customers. It comes at a good time too, IMHO: we all know the frequency and extent to which breaches are occurring these days and let’s face it, most organisations are not particularly well-equipped to deal with them whether that be recognising indicators of compromise, responding to incidents or simply understanding the risks associated with staff having accounts breached. This service gives XCentral the ability to know about incidents impacting their customers less than a minute after a breach appears on Pastebin and usually within hours of a major incident such as the Forbes breach when over a million accounts were exposed.

Which brings me to the question in the title of this post – would you like to know if your customers have been pwned? Behind the scenes, I’ve been building out a heap of features to better support organisations wanting to gain access to a rapidly increasingly repository of breach data. There are some big pieces underway at the moment that I’ll talk about later (and some equally big use cases I should be able to share) and I’m really interested in helping orgs get access to the data if they can then in turn provide value to the individuals who are impacted by these breaches.

Phil mentioned it in his blog post but I’ll reiterate it here too – this is not a paid service, it’s free. Whilst the overhead on me is manageable and the infrastructure costs low, that’s how it’ll stay. In fact I’m kind of curious just how far I can grow it on Microsoft’s Azure platform without it exceeding my coffee budget! That said, I do still have the donations page and the contributions individuals and organisations alike have made are very appreciated and they go a long way demonstrating that this is a valuable service that deserves an ongoing investment in time and coffee money :)

If you’re interested in using HIBP in the ways described above, email me. I do want to ensure the right organisations are using the data for the right reasons so feel free to ping me and let me know how you think the service can be of use.

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals