Have I Been Pwned

A 126-post collection

Pwned Passwords, Version 6

Today, almost one year after the release of version 5, I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964‬ (just over 3%). As with previous releases, I've made the call to push the data now simply because there were enough new records to justify the overhead in doing so. Also as with previous releases, version 6 not only introduces a heap of new records but also updates the prevalence count on the existing ones. For example, the old favourite "P@55w0rd" has gone from 2,929 occurrences to 3,069 so still a terrible password,...

The Unattributable "Lead Hunter" Data Breach

Pwned again. Damn. That's me who's pwned again because my personal data has just turned up in yet another incident from a source I can't attribute. Less than 3 weeks ago I wrote about The Unattributable "db8151dd" Data Breach which, after posting that blog post and a sample of my own data, the community quickly attributed to Covve. My hope is that this blog post helps myself and the 69 million other people in this one work out who collected and then exposed their personal information. So, data first, here's what they have on me: Similar deal to last time in that it was an exposed Elasticsearch instance and it was sent over to me by Dehashed. Turns out it's...

Analysing the (Alleged) Minneapolis Police Department "Hack"

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with links and screen caps of pastes as "evidence". This is almost certainly fake for several reasons: — Troy Hunt (@troyhunt) May 31, 2020 I was CC'd into a bunch of threads that were redistributing the...

The Unattributable "db8151dd" Data Breach

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know: Back in Feb, Dehashed reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,616 rows in total, the first 30 of which look like this: The global unique identifier beginning with "db8151dd" features heavily on these first lines hence the name I've given the breach. I've had to give...

Welcoming the Icelandic Government to Have I Been Pwned

Hot on the heels of onboarding the USA government to Have I Been Pwned last month, I'm very happy to welcome another national government - Iceland! As of today, Iceland's National Computer Security Incident Response Team (CERT-IS), now has access to the full gamut of their gov domains for both on-demand querying and ongoing monitoring. As with the USA and Iceland, I expect to continue onboarding additional governments over the course of 2020 and expanding their access to meaningful data about breaches that impact their departments....

Welcoming the USA Government to Have I Been Pwned

Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive notifications when they're impacted in subsequent data breaches. Over the coming months I expect to continue expanding the scope of government support in HIBP. For now, it's a big welcome to the USA and I'm enormously...

There is a Serious Lack of Corporate Responsibility During Breach Disclosures

Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of records containing personal information. I wanted to send you what’s been sent to me and give you the opportunity to respond before I notify my subscribers impacted in the incident. Could someone responsible for information security...

Enhancing Pwned Passwords Privacy with Padding

Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). All sorts of organisations are employing the service to keep passwords from previous data breaches from being used again and subsequently, putting their customers at heightened risk. For example, this just a couple of days ago: This is cool: @identityauto is integrating @haveibeenpwned's Pwned Passwords into their RapidIdentity product. Very slick! pic.twitter.com/64d9p8hQq6 — Troy Hunt (@troyhunt) March 3, 2020 The anonymity implementation means consumers of the service can hit the API without disclosing what password is actually...

Project Svalbard, Have I Been Pwned and its Ongoing Independence

This is going to be a lengthy blog post so let me use this opening paragraph as a summary of where Project Svalbard is at: Have I Been Pwned is no longer being sold and I will continue running it independently. After 11 months of a very intensive process culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the deal infeasible. It wasn't something I could have seen coming nor was it anything to do with HIBP itself, but it introduced a range of new and insurmountable barriers. So that's the tl;dr, let me now share as much as I can about...

Handling Huge Traffic Spikes with Azure Functions and Cloudflare

Back in 2016, I wrote a blog post about the Martin Lewis Money Show featuring HIBP and how it drove an unprecedented spike of traffic to the service, ultimately knocking it offline for a brief period of time. They'd given me a heads up as apparently, that's what the program has a habit of doing: I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov, 8pm, ITV) saying it's a good way to check if your data has been compromised. I thought it best to let you know in case you need to put extra resources onto it, we do have a tendency to...