Sponsored by:

Have I been pwned?

A 80-post collection

Introducing 306 Million Freely Downloadable Pwned Passwords

Edit: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern Era with the aim of helping those building services which require authentication to move into the modern era of how we think about protecting accounts. In that post, I talked about NIST's Digital Identity Guidelines which were recently released. Of particular interest to me was the section advising organisations to block subscribers from using passwords that have previously appeared in a data breach. Here's the full excerpt from the authentication & lifecycle management doc (CSP is "Credential Service Provider"): NIST isn't mincing words here,...

Pastes on Have I Been Pwned Are No Longer Publicly Listed

Over the weekend, a Have I Been Pwned (HIBP) subscriber contacted me after they found their Spotify credentials online. It turns out that this particular woman went searching for her specific password after finding "some guy listening to Mexican music from a foreign device on my acct". In the search results, she found a site hosted on Google's Blogger service with troves and troves of Spotify credentials, among others. Now I've seen a lot of lists of "hacked Spotify accounts" in the past and to date, they've always been collated as a result of credential stuffing as opposed to Spotify themselves having been breached. She pointed me to the site with the (obfuscated) content you see...

Here are all the reasons I don't make passwords available via Have I been pwned

Over the last few days, I've loaded more than 1 billion new records into Have I been pwned(HIBP). As I describe in that blog post, this data was from two very large "combo lists", that is email address and password pairs created by malicious parties in order to help them break into other accounts reusing those credentials. In all, I sent about 440k email notifications and saw hundreds of thousands of people come to HIBP and search for their data. From a personal security awareness perspective, loading the data has been enormously effective. But there's a question I got over and over again via every conceivable channel: How can I see the password on my record? I...

Password reuse, credential stuffing and another billion records in Have I been pwned

The short version: I'm loading over 1 billion breached accounts into HIBP. These are from 2 different "combo lists", collections of email addresses and passwords from all sorts of different locations. I've verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you're in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords. And before you ask for your password from the data, read about all the reasons...

Microsoft Flow + Azure Storage + WebJobs + MailChimp + Outlook

A few years back, I added a donations page to Have I been pwned (HIBP). Now as I explained at the time, I didn't particularly need them to cover my hard-cash outgoings because I run the thing on a shoestring, but as I explain on that page, it takes a massive amount of effort. If people want to fling me a coffee or some beers, that's just great and I appreciate it enormously. Problem is, it's hard to individually show that appreciation. Especially during a busy period, I can end up with a lot of coffee and I can't realistically reply to each and every person by email thanking them or I end up with exactly the problem I describe...

Random thoughts on the use of breach data for protection of accounts

Someone sent me an email today which essentially boiled down to this: Hey, Microsoft's Azure Active Directory alerted me to leaked credentials but won't give me any details so there's very little I can do about it This is a really interesting scenario and it relates to the way Microsoft reports risk events, one of which is the discovery of leaked credentials that match those within AD. In other words, they've identified that someone used the same email address and password in multiple places and they've let the administrator of this particular AD instance know. As you can imagine from my work with Have I been pwned (HIBP), I have many thoughts on the subject. Rather than keep them to...

I just added another 140 data breaches to Have I been pwned

There's a seemingly endless flood of data breaches these days. Pretty much every day I get sent dumps from somewhere or other, usually websites I've never heard of and often dating back to compromises from years ago. They vary in size from thousands of accounts to many millions - and this is just the ones I've looked at. In short, there's way more data than I have time to process. Occasionally though, an incident floats to the top of the others which is what's happened over the last few days. There was news just recently of a large number of vBulletin forums having been compromised by an actor known as "CrimeAgency" and the data consequently circulating. I had,...

One million subscribers later, here's the state of Have I been pwned

I hit a bit of a milestone last week with HIBP which I thought deserved a little celebration: Sometime today, @haveibeenpwned broke through the 1M verified subscriber mark. Having a quiet champagne alone before flying home 😀🍾 pic.twitter.com/whIss3OXeO— Troy Hunt (@troyhunt) February 2, 2017 A million verified subscribers (that is they've received a welcome email and clicked a link to confirm they actually want in), is a pretty major feat in my books, especially for a somewhat niche service. As I sat on the plane back home, I started to think about where the service now stood in terms of things like subscribers, the notifications it's sent and indeed who's using it for what purposes. I decided...

Introducing "fabricated" data breaches to Have I been pwned

I've written before about how I verify data breaches and discussed it at length in various conference talks. I take verification very seriously because misattribution can have serious consequences on the company involved, those in the alleged breach and indeed, on myself as well. To give you a sense of how much effort can go into verification, last month I wrote about a data breach investigation blow by blow where ultimately, I failed to verify the authenticity of the data. Due to the prevalence of legitimate data in there though, I still loaded it into HIBP and flagged it as "unverified", a concept I introduced in the middle of last year. The point of unverified data breaches is...

Thoughts on the LeakedSource take down

Yesterday, the website known as "LeakedSource" went offline. It's still early days and there's not yet an official word on exactly what happened, but the unfolding story seems to be as follows: Yeah you heard it here first. Sorry for all you kids who don't have all your own Databases. Leakedsource is down forever and won't be coming back. Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leakedsource servers got subpoena'd and placed under federal investigation. If somehow he recovers from this and launches LS again, then I'll be wrong. But I am not wrong. Also, this is not a troll thread. LeakedSource provided sensitive personal information obtained from data breaches to anyone...