I spend a lot of time on Have I been pwned [https://haveibeenpwned.com/] (HIBP) which consists of both maintaining and building out the software with new features as well as obviously sourcing new data for it on a regular basis. I make it freely available to the community and some time ago at the suggestion of some of those who’d found it useful, I stood up a donations page [https://haveibeenpwned.com/Donate]. Whilst the service is cheap to run courtesy of Azure being pretty cost efficient, it’s...

Last month I was over in Norway doing training for ProgramUtvikling, [http://programutvikling.no/] the good folks who run the NDC conferences I've become so attached to. I was running my usual “Hack Yourself First” workshop [https://www.troyhunt.com/2016/02/more-europe-even-more-again-and-more.html] which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cov...

There are few more valuable skills for kids these days than knowing their way around technology. In fact, I’d argue that you could say the same for adults but particularly when you consider the skills that are going to be most valuable in the future for our children, understanding how the connected world functions is key. Their existence is fundamentally different to ours and if you were born in the 70’s like me (or even earlier), just think about how fundamentally different their education and...

There was a piece in the news the other day on how a high school teacher videod his sexual exploits then stored them on Dropbox, after which it was summarily compromised. The video was then posted to the school’s faculty page which obviously caused him enormous embarrassment then to top it off, the school fired him. This is a newsworthy story with regards to privacy and security and was worth sharing: > Probably don't put these in Dropbox: "Teacher’s sex tape stolen from hacked Dropbox, posted...

Some days, the news is dominated by a single security story and not just in the tech news either, but today the consumer news is all about Apple’s message to their customers [http://www.apple.com/customer-letter/]. I’ve been getting a heap of media requests and seeing some really interesting things said about the story so let me distill all the noise into the genuinely interesting things that are worth knowing. There are way more angles to this than initially meet the eye, and it’s a truly signi...

The other day, a hacker compromised someone’s email account. It was almost certainly a phishing attack, he probably just sent them over an email claiming to be from the victim’s organisation and then just, well, asked for their credentials. From there, the attacker wandered over to the web portal of the victim’s organisation and attempted to logon, which unfortunately for him didn’t work. No worries, they simply called up the helpdesk who kindly gave him access. So now he’s logged in to the vict...

I just spent almost a month in Europe and did an insane number of events: 7 workshops of 2 days each, 6 conference talks, video interviews, Pluralsight courses, media events, multiple user groups and amazingly, absolutely everything went perfectly to plan! Trips like that are both very intensive and very fulfilling and whilst 27 days was longer than I’d ideally like, I had a fantastic time in Europe so I’m coming back again – twice – in the coming months. I’ve give you the tl;dr version first t...

A few months ago, the Hong Kong based toy maker VTech allowed itself to be hacked [https://www.troyhunt.com/2015/11/when-children-are-breached-inside.html] and millions of accounts exposed including hundreds of thousands of kids complete with names, ages, genders, photos and their relationships to their parents replete with where they (and assumedly their children) could be located. I chose this term deliberately – “allowed itself to be hacked” – because that’s precisely what happened. In an era...

We tend to get very focused on digital security controls; firewalls, antivirus, software updates and then all the usual practices I spend so much time talking to developers about, stuff like defending against SQL injection, cross site scripting and a whole raft of other attacks against systems. But the bigger risk – and it’s one that doesn’t get near as much coverage – is attacks against humans. Whereas most of the time we’re thinking about attacks against the systems, we tend to neglect weaknes...

This weekend, I loaded five additional data breaches into Have I been pwned [https://haveibeenpwned.com/] (HIBP) that had come from various forums running on vBulletin. These came via supporters that had collected them from data breach traders over the years and some of them dated back quite some time. I always go to great lengths to validate that a breach is indeed legitimate and one of the ways I do that is to take a real good look at the passwords stored in the system and ensure that they do...