Nearly 7 years ago now, I started a little pet project to index data breaches and make them searchable. I called it "Have I Been Pwned" and I loaded in 154M breached records which to my mind, was rather sizeable. Time went by, the breaches continued and the numbers rose. A few years later in June 2016 on stage at NDC Oslo, I pushed HIBP through 1B records:
Whoa, we're there, past a billion!
There was much applause which I countered with "is it a joyous moment, because it's kinda sad as well?" But what's even sadder than 1B breached records is 10B breached records:
New data breach now loading into @haveibeenpwned that'll push it *well* over 10,000,000,000 records. Wow. Insane, never thought I'd be here doing this with those numbers. It's been a fun little project 🙂— Troy Hunt (@troyhunt) July 18, 2020
I fired that tweet off whilst loading the Wattpad breach without giving it much thought, but based on the likes it received, it seems to have resonated. On reflection, what really struck a chord with people is that despite the raw numbers, HIBP remains precisely what I concluded that tweet with - a fun little project. Something I enjoy running purely for the pleasure of creating a service that other people find useful. And that got me thinking a whole lot more about the purpose of HIBP.
Earlier this year, I wrote about how the M&A (merger and acquisition) process that consumed most of my 2019 and a substantial part of my sanity ultimately resulted in a "no-sale". Reaching the other side of that process - regardless of the outcome - was an enormous relief. The highly emotional, time and money sapping, single most stressful thing I had ever done in my professional life was done. I wrote about it publicly as soon as I could then got back to running the service as usual, not giving it much further thought until just now at this 10B milestone. Just as I said in that tweet, I created HIBP for fun and it was always intended to be a community-first initiative. As I opened with in this blog post, it was just a pet project:
A project, activity or goal pursued as a personal favourite, rather than because it is generally accepted as necessary or important.
By way of the M&A process, I was forced to redefine that, at least on paper. I found myself thinking less about SQLi and more about EBITDA; that's just not HIBP and it's not me either. The whole prospect of "value" was becoming this really wacky world where people were trying to put a price on something I did for the greater good and turn it into a tradable commodity. Zack Whittaker published a fantastic piece earlier this month on How Have I Been Pwned became the keeper of the internet’s biggest data breaches where he wrote the following:
Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.
It wasn't even HIBP that was the tradable commodity, it was me and that just didn't feel right. With the benefit of many months of clarity since that process, I can say one thing for sure: that's never going to happen - ever!
I love the relationships I have with so many of the various organisations I've worked with over the years, but I love the ability to choose them of my own free volition even more. I love that I can choose to work with these organisations be it related to HIBP or not and equally, I love that I can choose to sit on the beach and do nothing. I also love that there's so much community support for precisely this approach, especially around not putting a price on HIBP and shipping it off to a bidder somewhere on the other side of the world. If there was ever any doubt about the support for keeping HIBP as first and foremost, a community project, a quick read through the responses to my tweet about it remaining independent will dispel them. Now more than ever, suggestions such as open sourcing the whole thing make a lot of sense and that's something I'm seriously considering, along with working alongside non-profits who can prioritise the service, not the dollars.
And that, to me, is the essence of HIBP: community first. The ability for people to freely learn about their exposure in data breaches without concern about my motives or influences is the heart of this service. In turn, it's the support from the community that's made it possible in the first place whether that be all the expertise people have lent me over the years, the services organisations like Cloudflare have provided and indeed all the individuals who's sourced and contributed the data. You can't put a price on that and perhaps, in the end, that's what the failed M&A process proved. I can't think of a better outcome for my fun little project 😊