Troy Hunt

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals

Weekly Update 126

Another week, another conference. This time it was Microsoft Ignite in Sydney and as tends to happen at these events, many casual meetups, chats, beers, selfies, delivery of HIBP stickers and an all-round good time, albeit an exhausting one. That's why I'm a day late this week having finally arrived home late last night.Moving on though, I've got a bunch of other events coming up particularly in conjunctions with the folks at NDC. Brisbane in a couple of weeks, Gold Coast in April then Minnesota in May. Oh - plus Oslo in June and stretching out beyond that, Sydney in October. The link in the references below about how conferences can help keep speakers happy (or piss them off,...

The Race to the Bottom of Credential Stuffing Lists; Collections #2 Through #5 (and More)

A race to the bottom is a market condition in which there is a surplus of a commodity relative to the demand for it. Often the term is used to describe labour conditions (workers versus jobs), and in simple supply and demand terms, once there's so much of something all vying for the attention of those consuming it, the value of it plummets.On reflecting over the last 3 and a half weeks, this is where we seem to be with credential stuffing lists today and I want to use this blog post to explain the thinking whilst also addressing specific questions I've had regarding Collections #2 through #5.The 773 Million Record "Collection #1" Data BreachOn Thursday 17 Jan,...

Weekly Update 125

I'm back home! It was an amazing trip in many ways, not least of which was the time it gave both Scott and myself to reflect on workload and managing lives which can be a bit of a never-ending series of commitments. To that effect, I've been backing off Twitter a bit and as I say in this update, I very quickly remembered why after a couple of short engagements yesterday. But moving forward, it's Microsoft Ignite in Sydney next week and that should be a great event, plus I'm talking about Google's Password Checkup extension and the other credential stuffing list "collections" I keep getting asked about. On that last point, I explain my hesitation with them in the...

Weekly Update 124

I'm pumping this weekly update out a little bit later, pushing it just before I get on the plane back home to Australia. I've just wrapped up a week in London with Scott doing all things NDC including a couple of days of workshops and a couple of talks each. We discuss that, and how the UK seems to have an odd infatuation with doing anything that could even remotely be deemed a health and safety risk.On a more serious note, we talk about the emotional toll of the things we do, namely the never ending charging forward with projects like Report URI and HIBP, along with the training, conference talks and what seems like a never-ending pit of...

Weekly Update 123

So it's been a bit of a crazy week. I got onto the plane in Australia on Thursday evening just as Europe was waking up to the news of the 773M email address credential stuffing list I loaded into HIBP. And then the flood began; blog comments, emails, tweets - it was an absolute deluge. I spent the flight fielding the ones I could, landed in Oslo and dealt with more on the way up the mountain then frankly, got there and tuned out. Out of office on, blog comments closed and tweets ignored. This trip was planned downtime with my son and good friends and I really needed it.In this week's update, I talk about the coverage of...

Weekly Update 122

And then there was the biggest data breach to go into HIBP ever! I wrote that sentence from home just after publishing all the data, then I got on a plane...Holy cow that's a lot of emails! Hundreds upon hundreds of emails came in whilst on the way to Dubai, more than I'll ever be able to respond to. Plus, I'm actually trying to have some downtime with my son on this trip particularly over the next few days so a bunch of stuff is going to have to go unanswered or at best, delayed. Mind you, a heap of them were asking questions already addressed in the blog post, but that's just the nature of the internet.What...

The 773 Million Record "Collection #1" Data Breach

Many people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or be familiar with the concept of credential stuffing so I'm going to write this post for the masses and link out to more detailed material for those who want to go deeper.Let's start with the raw numbers because that's the headline, then I'll drill down into where it's from and what it's composed of. Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources. (And yes,...

Weekly Update 121

Well, it's one more sunny weekly update then snow time again so I've gone particularly beachy today. I'm also particularly breachy, talking about a massive combo list I'm presently pondering for inclusion in HIBP. These lists are frequently used for account takeover attacks against the likes of Spotify which is the subject of this week's blog post. Plus, I'm talking a bit about a bunch of Ubiquiti bits I'll be installing soon to fix the problem seen below:Relevant to this week’s video I’m about to publish - my network cupboard shame 😫 pic.twitter.com/SOB9hq6uTH— Troy Hunt (@troyhunt) January 11, 2019 Oh - and I did end up heading out on the water with Kevin Mitnick,...

No, Spotify Wasn't Hacked

Time and time again, I get emails and DMs from people that effectively boil down to this:Hey, that paste that just appeared in Have I Been Pwned is from Spotify, looks like they've had a data breachMany years ago, I introduced the concept of pastes to HIBP and what they essentially boil down to is monitoring Pastebin and a bunch of other services for when a trove of email addresses is dumped online. Very often, those addresses are accompanied by other personal information such as passwords. When an HIBP subscriber's address appears in one of these incidents, they get an automated notification and often, it seems, they then reach out to me.Here's a perfect example of what I'm...

Weekly Update 120

And then it was 2019. Funny how quickly it gets away from you, someone just posted on my 2018 retrospective blog post this week and asked why I didn't include my congressional testimony and if I'm honest, it took me a bit to think about why as well (it was in 2017). But we're here now so it's back to business as usual blog wise.This week is dominated by the personal finance lessons blog post. This has gotten massive traction this week and has been read by tens of thousands of people. But perhaps what surprises me most is that out of all the feedback I've had, there's only been one negative comment. O-n-e. Frankly, I'm not even sure...