Breaches, “Have I been pwned?”, password reuse, 1Password and good deeds

I spend a lot of time on Have I been pwned (HIBP) which consists of both maintaining and building out the software with new features as well as obviously sourcing new data for it on a regular basis. I make it freely available to the community and some time ago at the suggestion of some of those who’d found it useful, I stood up a donations page. Whilst the service is cheap to run courtesy of Azure being pretty cost efficient, it’s the time commitment that really bites so that’s what I focused on. Donations consist of things like a cup of coffee or a beer or things that allow me to spend time with my family. I get donations in ebbs and flows (i.e. there’s always more after a big data breach when heaps of people get notified), and occasionally, I get a really nice message along with it, a message such as this one:

Let me share the contents of that paste here:

I don't have a lot of spare money, but because of your site, I can keep what I have. I was just caught in the Linux Mint breach (as well as a few others I didn't know about) where my password is easily recoverable from the data. The same email and password (I know this is a terrible idea) used on my PayPal account.

I'm sure that's a common story, but I just wanted to share the impact that this service is having. I'm a web developer, I know how hard it can be to keep something like this running, and I can't imagine the stress of knowing that people rely on you to let them know if their info is out there, so thank you.

More than the donation itself, what I really love about this is hearing firsthand how HIBP has made a positive impact on someone. Breaches like Linux Mint are actively sold and traded and the contents within them is frequently used to exploit the innocent victims of the incident. I’ve written about these practices in the past and I’ve also written about how HIBP has been able to help erode the value of data breaches and I’m enormously glad to see it having a positive impact in all these ways.

Anyway, a Twitter follower came up with a suggestion for the bloke who left me the message:

I thought that was a great idea and whilst I don’t have the power to give him freebies myself (I’ve paid full retail for every version of 1Password I’ve ever owned), I do know nice people over there, people nice enough to do this for him:

And that is all – he now has a great password manager! Just a good news story all round; I was very happy to see a positive difference made in a couple of little ways that just may have saved him from much bigger problems.

Security Have I Been Pwned
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals