Mastodon

Have I Been Pwned

A 171-post collection

Data Breach Misattribution, Acxiom & Live Ramp

If you find your name and home address posted online, how do you know where it came from? Let's assume there's no further context given, it's just your legitimate personal data and it also includes your phone number, email address... and over 400 other fields of data. Where on earth did it come from? Now, imagine it's not just your record, but it's 246 million records. Welcome to my world. This is a story about a massive corpus of data circulating widely within the hacking community and misattr...

The Have I Been Pwned API Now Has Different Rate Limits and Annual Billing

A couple of weeks ago I wrote about some big changes afoot for Have I Been Pwned [https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/] (HIBP), namely the introduction of annual billing and new rate limits. Today, it's finally here! These are two of the most eagerly awaited, most requested features on HIBP's UserVoice [https://haveibeenpwned.uservoice.com/] so it's great to see them finally knocked off after years of waiting. In implementing all this, there are changes to...

Better Supporting the Have I Been Pwned API with Zendesk

I've been investing a heap of time into Have I Been Pwned (HIBP) lately, ranging from all the usual stuff (namely trawling through masses of data breaches) to all new stuff, in particular expanding and enhancing the public API [https://www.troyhunt.com/expanding-and-enhancing-the-have-i-been-pwned-api/]. The API is actually pretty simple: plug in an email address, get a result, and that's a very clearly documented process [https://haveibeenpwned.com/API/v3]. But where things get more nuanced is...

Big Changes are Afoot: Expanding and Enhancing the Have I Been Pwned API

Just over 3 years ago now, I sat down at a makeshift desk (ok, so it was a kitchen table) in an Airbnb in Olso and built the authenticated API for Have I Been Pwned [https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/] (HIBP). As I explained at the time, the primary goal was to combat abuse of the service and by adding the need to supply a credit card, my theory was that the bad guys would be very reluctant to, well, be bad guys. The theory checked out, and now with the benefi...

Welcoming the Polish Government to Have I Been Pwned

Continuing the rollout of Have I Been Pwned (HIBP) to national governments around the world, today I'm very happy to welcome Poland to the service! The Polish CSIRT GOV is now the 34th onboard the service and has free and open access to APIs allowing them to query their government domains. Seeing the ongoing uptake of governments using HIBP to do useful things in the wake of data breaches is enormously fulfilling and I look forward to welcoming many more national CSIRTs in the future....

Understanding Have I Been Pwned's Use of SHA-1 and k-Anonymity

Four and a half years ago now, I rolled out version 2 of HIBP's Pwned Passwords [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] that implemented a really cool k-anonymity model courtesy of the brains at Cloudflare. Later in 2018, I did the same thing with the email address search feature [https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/] used by Mozilla, 1Password and a handful of other paying subscribers. It works beautifully; it's ridi...

Breach Disclosure Blow-by-Blow: Here's Why It's so Hard

For many years now, I've lamented about how much of my time is spent attempting to disclose data breaches to impacted companies. It's by far the single most time-consuming activity in processing breaches for Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and frankly, it's about the most thankless task I can imagine. Finding contact details is hard. Getting responses is hard. Not having an organisation just automatically assume you're trying to shake them down for cash is hard. So hard, i...

Welcoming the Bulgarian Government to Have I Been Pwned

Data breaches impact us all as individuals, companies and as governments. Over the last 4 years, I've been providing additional access to data breach information in Have I Been Pwned for government agencies responsible for protecting their citizens [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] . The access is totally free and amounts to APIs designed to search and monitor government owned domains and TLDs. Today, I'm very...

Welcoming the Italian Government to Have I Been Pwned

For the last 4 years, I've been providing API-level access to national government agencies so that they can search and monitor their government domains on Have I Been Pwned [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] . Today, I'm very happy to welcome the 29th government to join the service, Italy! Via CSIRT-Italia within their National Cybersecurity Agency (ACN), they now have free access to breach data I hope will furt...

Setting the Bar for Government Access to Have I Been Pwned

Over the last 4 years, I've onboarded 28 national government CERTs onto Have I Been Pwned [https://www.troyhunt.com/tag/government/] (HIBP) and given them free and open access to APIs that enable them to query and monitor their gov domains. This doesn't give them access to any information they can't already access via the free public domain search feature [https://haveibeenpwned.com/DomainSearch], but it makes their lives easier. Much easier. As interest from govs has grown, it's caused me to...