I certainly didn't expect it would go this far when I built Have I been pwned (HIBP) a few years ago, but I've just loaded the 100th data breach into the system. This brings it to a grand total of 336,724,945 breached accounts that have been loaded in over the years, another figure I honestly didn't expect to see.
But there's something a bit different about this 100th data breach - it was provided to me by the site that was breached themselves. It was self-submitted, if you like. Usually, a site is breached and the data floats around the web whilst the impacted organisation either has no clue what happened or they stonewall and avoid admitting the incident. Just yesterday I wrote If I Can Verify Data Breaches, so Can Those Who Are Breached where I chastised organisations such as the Philippines Electoral Committee and Naughty America for still not acknowledging breach authenticity weeks after the incident. As much as ethics are lacking when hackers break into these systems and put the people in there at risk, so too are they lacking in the organisations that refuse to admit the incident and focus on protecting their members.
Recently, I received an email that included this request:
I am an admin / dev of a gaming forum with ~ 80,000 accounts that had a db breach a few weeks back and we'd like to add our breach to the site listing.
Now as you can imagine, I often have what you might call "interesting" interactions with various people who pop up out of the blue and want to talk about data breaches, but it turns out that this one was precisely what it suggests at face value. The site is TruckersMP and it's a trucking simulator:
News of the breach was published on their website on Feb 25 at 19:39 which is 2 hours and 9 minutes after they first discovered the incident. That discovery was only 30 minutes after the incident took place. The succinct blog post explains what happens and then offers an apology, all within a few hours of the event.
I was curious though as to why they'd reach out and offer the data to HIBP. We had a bit of email to and fro (which included me verifying I was indeed chatting with an admin of the site and that the data they provided was legitimate) and they had this to say on why they provided me with the data:
We're decently security minded and feel a responsibility and duty to inform our users when such a breach happens. All of the members of the team agreed it'd be ok to be added to the list with the notion that we'd like to see other sites do the same as well; given the unfortunate chance.
For a while now, I've had a few ideas forming about how I can use HIBP in conjunction with breached organisations to better support those who have accounts compromised, but I honestly wasn't expecting this.
Perhaps I've just become a little cynical after seeing literally hundreds of "we take security seriously" statements from organisations which clearly didn't and to see a response like this where they're not trying to spin the story to their own advantage or misconstrue facts is heartening. If only those with nation state budgets or billion dollar revenues could act so responsibly.
There are now 83,957 TruckersMP accounts searchable on HIBP.