Pretty much every day, I get a reminder from someone about how little people know about their exposure in data breaches. Often, it's after someone has searched Have I Been Pwned (HIBP) and found themselves pwned somewhere or other. Frequently, it's some long-forgotten site they haven't even thought about in years and also frequently, the first people know of these incidents is via HIBP: large @ticketfly data breach. thanks @troyhunt for the excellent @haveibeenpwned service that notifies users of #privacy disasters like this :) https://t.co/xgklY59sOU pic.twitter.com/jlqnKXteDG— Yale Privacy Lab (@YalePrivacyLab) June 4, 2018 Well, that's annoying: @TicketFly data breach attacker publicly posted my info (along w 26MM others). I at least know...

Last day away! As much as I enjoy travel, I love going home and I'm wrapping this post up whilst sitting at the airport in Oslo about to begin the epic journey that is travelling back to the other side of the world. It's been a great trip, but yeah, I like home 😎 This week, I'm recapping on some workshops, talking about how data breaches circulate, sharing some pretty epic Report URI stats and also covering last week's blog post on the Estonian government providing data to HIBP. Plus, just a little teaser for some big news coming next week, but I'll cover that in detail on Friday from the comfort of home. References The Estonian Central Criminal Police sent...

We're at NDC Oslo! We found a spot on the floor and recorded this a couple of hours before doing our final talk of the event. In this video, we discuss some of what we were planning to cover in that talk, namely HTTPS anti-vaxxers as Scott wrote about earlier in the week. And how did it go? Apparently, exceptionally well! Best talk of the conf! @troyhunt and @Scott_Helme on web security - dont get advise from a psychic 😆 #NDCOslo pic.twitter.com/X0m3Q5xFeq— Natalia An (@illumikko) June 15, 2018 Just left #NDCOslo after watching the best talk of the week with @troyhunt and @Scott_Helme pic.twitter.com/PNyNFMMI2V— Thomas Fredriksen (@thomfredev) June 15, 2018 Best...

Running Have I Been Pwned (HIBP) has presented some fascinating insights into all sorts of aspects of how data breaches affect us; the impact on the individual victims such as you and I, of course, but also how they affect the companies involved and increasingly, the role of government and law enforcement in dealing with these incidents. Last week I had an all new situation arise related to that last point and I want to explain it properly here so it makes sense if someone finds themselves in this data breach. I was contacted by the Cybercrime Bureau of the Estonian Central Criminal Police who were after some assistance notifying individuals impacted by a number of different breaches. They suspected...

Wow wow wow! What a week! This video is going out a couple of days late but if ever I had a good excuse for it, this week is the one. Scott and I are in Oslo this week having just flown in from London where we collectively scooped up 3 awards, one each at the European Blogger Awards and the big one (quite literally - the thing weights several kilos), the SC Award for Best Emerging Technology courtesy of Report URI. This is massive for us, and very, very unexpected too. We talk about why this week. Further to that, there's our experiences from the Infosec Europe conference, Scott's talk about nomx (sorry - "multi-award-winning UK blogger Scott...

I don't normally do back-to-back blog posts, but this was no normal week! I just posted about how I won the European Security Blogger Award Grand Prix Prize for the Best Overall Security Blog and per the title of this post, a couple of hours later Scott Helme and I backed it up with this at the SC Awards: To us! 🥂 #SCAwards2018 pic.twitter.com/Gv7hhzT9T2— Report URI (@reporturi) June 5, 2018 We were blown away - honestly stunned - and I think the look on Scott's face as he returned to the table with the award says it all: Frankly, the main reason we were shocked is that we were up against very stiff competition; incumbent players with...

I'm not sure how I found myself in a European award program, maybe it's like Australians in Eurovision? But somehow, I wiggled my way into The European Security Blogger Awards and before even having a chance to come down off the high that was last week's Award for Information Security Excellence at the AusCERT conference in Australia, this happened: @troyhunt hey mate, you just won the EU security blogger of the year. Congrats. I am at the event where they announced it.— Andy Newman (@netdogca) June 5, 2018 That was the first I knew of winning the award and it took me a few days to pick it up hence the delay in writing this post. But wow, it...

An exciting weekly update - I got an award! I did write about it earlier this morning, but I talk about it more in this week's update and explain why it means a lot. In other news, I'm heading back to Europe in a few days from now so am doing the last-minute rush tying up loose ends here, finishing presentations and just generally preparing myself for what will be another hectic few weeks. I also killed off the non-anonymous endpoints of Pwned Passwords today so it's k-anonymity all the way now. Plus, in this week's blog posts, the Spanish government comes on board HIBP and I write about some really cool large-scale use cases of Pwned Passwords. Oh -...

I've been at the AusCERT conference this week which has presented a rare opportunity to walk to a major event from my home rather than fly to the other side of the world. And what an awesome walk too, right on the turn into "winter", which means something quite different in this part of the world: Off to #AusCERT2018! It’s all blue outside today, what an awesome day for a short walk from home 😎 Catch me at the panel about data breaches at 13:20 today pic.twitter.com/x7plUhWkY4— Troy Hunt (@troyhunt) May 30, 2018 At the gala dinner last night, without any warning beforehand, I somehow walked away with this: .#AusCERT2018 Award for Information...

Back in August, I pushed out a service as part of Have I Been Pwned (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches via both a downloadable file and an online service. This was in response to NIST's Digital Identity Guidelines and in particular, the following recommendation: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses. Seen a password in a data breach before? Then...