Sponsored by:

Have I been pwned?

A 78-post collection

Here are all the reasons I don't make passwords available via Have I been pwned

Over the last few days, I've loaded more than 1 billion new records into Have I been pwned(HIBP). As I describe in that blog post, this data was from two very large "combo lists", that is email address and password pairs created by malicious parties in order to help them break into other accounts reusing those credentials. In all, I sent about 440k email notifications and saw hundreds of thousands of people come to HIBP and search for their data. From a personal security awareness perspective, loading the data has been enormously effective. But there's a question I got over and over again via every conceivable channel: How can I see the password on my record? I want to...

Password reuse, credential stuffing and another billion records in Have I been pwned

The short version: I'm loading over 1 billion breached accounts into HIBP. These are from 2 different "combo lists", collections of email addresses and passwords from all sorts of different locations. I've verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you're in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords. And before you ask for your password from the data, read about all the reasons I don't...

Microsoft Flow + Azure Storage + WebJobs + MailChimp + Outlook

A few years back, I added a donations page to Have I been pwned (HIBP). Now as I explained at the time, I didn't particularly need them to cover my hard-cash outgoings because I run the thing on a shoestring, but as I explain on that page, it takes a massive amount of effort. If people want to fling me a coffee or some beers, that's just great and I appreciate it enormously. Problem is, it's hard to individually show that appreciation. Especially during a busy period, I can end up with a lot of coffee and I can't realistically reply to each and every person by email thanking them or I end up with exactly the problem I describe...

Random thoughts on the use of breach data for protection of accounts

Someone sent me an email today which essentially boiled down to this: Hey, Microsoft's Azure Active Directory alerted me to leaked credentials but won't give me any details so there's very little I can do about it This is a really interesting scenario and it relates to the way Microsoft reports risk events, one of which is the discovery of leaked credentials that match those within AD. In other words, they've identified that someone used the same email address and password in multiple places and they've let the administrator of this particular AD instance know. As you can imagine from my work with Have I been pwned (HIBP), I have many thoughts on the subject. Rather than keep them to...

I just added another 140 data breaches to Have I been pwned

There's a seemingly endless flood of data breaches these days. Pretty much every day I get sent dumps from somewhere or other, usually websites I've never heard of and often dating back to compromises from years ago. They vary in size from thousands of accounts to many millions - and this is just the ones I've looked at. In short, there's way more data than I have time to process. Occasionally though, an incident floats to the top of the others which is what's happened over the last few days. There was news just recently of a large number of vBulletin forums having been compromised by an actor known as "CrimeAgency" and the data consequently circulating. I had, in fact,...

One million subscribers later, here's the state of Have I been pwned

I hit a bit of a milestone last week with HIBP which I thought deserved a little celebration: Sometime today, @haveibeenpwned broke through the 1M verified subscriber mark. Having a quiet champagne alone before flying home 😀🍾 pic.twitter.com/whIss3OXeO— Troy Hunt (@troyhunt) February 2, 2017 A million verified subscribers (that is they've received a welcome email and clicked a link to confirm they actually want in), is a pretty major feat in my books, especially for a somewhat niche service. As I sat on the plane back home, I started to think about where the service now stood in terms of things like subscribers, the notifications it's sent and indeed who's using it for what purposes. I decided...

Introducing "fabricated" data breaches to Have I been pwned

I've written before about how I verify data breaches and discussed it at length in various conference talks. I take verification very seriously because misattribution can have serious consequences on the company involved, those in the alleged breach and indeed, on myself as well. To give you a sense of how much effort can go into verification, last month I wrote about a data breach investigation blow by blow where ultimately, I failed to verify the authenticity of the data. Due to the prevalence of legitimate data in there though, I still loaded it into HIBP and flagged it as "unverified", a concept I introduced in the middle of last year. The point of unverified data breaches is that they...

Thoughts on the LeakedSource take down

Yesterday, the website known as "LeakedSource" went offline. It's still early days and there's not yet an official word on exactly what happened, but the unfolding story seems to be as follows: Yeah you heard it here first. Sorry for all you kids who don't have all your own Databases. Leakedsource is down forever and won't be coming back. Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leakedsource servers got subpoena'd and placed under federal investigation. If somehow he recovers from this and launches LS again, then I'll be wrong. But I am not wrong. Also, this is not a troll thread. LeakedSource provided sensitive personal information obtained from data breaches to anyone willing to...

A data breach investigation blow-by-blow

Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source. This is exactly the process I go through, unedited and at the time of writing, with a completely unknown outcome. Warning: This one is allegedly an adult website and you're going to see terms and concepts related to exactly the sort of thing you'd expect from a site like that. I'm not going to censor words or...

The Ethereum forum was hacked and they've voluntarily submitted the data to Have I been pwned

The title says it all and the details are on their blog, but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make that data searchable". This is in an era when most organisations are doing their utmost to downplay the significance of an event like this too. This incident comes at a time when I'm writing up a fairly heft blog post on how organisations should communicate in the wake of a data breach. There's a lot of examples in there from previous incidents - mostly around...