Have I Been Pwned

A 116-post collection

Donating BAT to Have I Been Pwned with Brave Browser

I don't know exactly why the recent uptick, but lately I've had a bunch of people ask me if I've tried the Brave web browser. Why they'd ask me that is much more obvious: Brave is a privacy-focused browser that nukes ads and trackers. It also has some cool built-in stuff like the ability to create a new private browsing window in Tor rather than just your classic incognito window that might ditch all your cookies and browsing history but still connect to the internet directly from your own IP address. But the thing that's really caught the attention of the people I've been speaking to is Brave Rewards which is an innovative way of simultaneously eschewing traditional ads whilst...

Welcoming the Danish Government to Have I Been Pwned

In a continued bid to make breach data available to the government departments around the world tasked with protecting their citizens, I'm very happy to welcome the first country onto Have I Been Pwned for 2020 - Denmark! The Danish Centre for Cyber Security (CFCS) joins the existing 7 governments who have free and unbridled API access to query and monitor their gov domains. As the year progresses, I'll keep onboarding additional governments to help consolidate existing searches their departments have been independently running and provide greater visibility at a national level....

When Is Data "Public"? (And 2.5M Public Factual Records in HIBP)

When is data "public"? And what does "public" even mean? Does it mean it's merely visible to the public? Or does it mean the public can do anything they like with it? This discussion comes up time and time again as it did with the huge leak of PDL data only last month. For the most part, the impacted data in this incident came from LinkedIn, a service where by design we (including myself) publish personal information about ourselves for public consumption. So what's the problem? Willingly publishing your personal data online in a specific context is one thing, an organisation then taking it providing it another context is... unsettling: To be clear, all of this info must have been...

Welcoming the Swiss Government to Have I Been Pwned

I recently had the pleasure of spending a few days in Switzerland, firstly in Geneva visiting (and speaking at) CERN followed by a visit to the nation's capital, Bern. There I spent some time with a delegation of the National Cybersecurity Centre discussing the challenges they face and where HIBP can play a role. Continuing the march forward to provide governments with better access to their departments' data exposed in breaches, I'm very pleased to welcome Switzerland as the 7th national government onto Have I Been Pwned! They'll join the other govs in Europe and Australia and have complete free and direct API access to all the breached addresses appearing on their government domains. I expect to keep on-boarding further...

Data Enrichment, People Data Labs and Another 622M Email Addresses

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself. I've become more familiar with this sector over recent years due to the frequency with which it's been suffering data breaches that have ultimately landed in my inbox. For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017, Exactis who had 132M records breached last year and the Apollo data breach which exposed 126M accounts, one of which was my own. When Vinny Troia recently reached out after he and Bob Diachenko and sent me a massive set of data allegedly originating from PDL, I...

Welcoming the Norwegian Government to HIBP

Over the last couple of years, I've been increasingly providing governments with better access to their departments' data exposed in breaches by giving them free and unfettered API access to their domains. As I've been travelling around the world this year, I've been carving out time to spend with governments to better understand the infosec challenges they're facing and the role HIBP can play in helping them tackle those challenges. During my time in Norway, that included spending time with their National Cyber Security Centre in Oslo. Today, I'm very happy to welcome Norway as the 6th national government onto Have I Been Pwned! You'll see more national governments come on board in the near future but for now, it's...

Welcoming the Irish Government to Have I Been Pwned

Over the last year and a bit I've been working to make more data in HIBP freely available to governments around the world that want to monitor their own exposure in data breaches. Like the rest of us, governments regularly rely on services that fall victim to attacks resulting in data being disclosed and just like the commercial organisations monitoring domains on HIBP, understanding that exposure is important. To date, the UK, Australian, Spanish and Austrian governments have come onboard HIBP for nation-wide government domain monitoring and today, I'm happy to welcome the Irish government as well. They now have access to all .gov.ie domains and a handful of other government ones on different TLDs. A big welcome to...

Authentication and the Have I Been Pwned API

The very first feature I added to Have I Been Pwned after I launched it back in December 2013 was the public API. My thinking at the time was that it would make the data more easily accessible to more people to go and do awesome things; build mobile clients, integrate into security tools and surface more information to more people to enable them to do positive and constructive things with the data. I highlighted 3 really important attributes at the time of launch: There is no authentication. There is no rate limiting. There is no cost. One of those changed nearly 3 years ago now - I had to add a rate limit. The other 2 are changing today...

Pwned Passwords, Version 5

Almost 2 years ago to the day, I wrote about Passwords Evolved: Authentication Guidance for the Modern Era. This wasn't so much an original work on my behalf as it was a consolidation of advice from the likes of NIST, the NCSC and Microsoft about how we should be doing authentication today. I love that piece because so much of it flies in the face of traditional thinking about passwords, for example: Don't impose composition rules (upper case, lower case, numbers, etc)Don't mandate password rotation (enforced changing of it every few months)Never implement password hintsAnd of most relevance to the discussion here today, don't allow people to use passwords that have already been exposed in a data breach....

Welcoming the Austrian Government to Have I Been Pwned

Early last year, I announced that I was making HIBP data on government domains for the UK and Australia freely accessible to them via searches of their respective TLDs. The Spanish government followed a few months later with each getting unbridled access to search their own domains via an authenticated API. As I explained in that initial post, the rationale was to help the departments tasked with looking after the exposure of their digital assets by unifying search and monitoring capabilities so the task could be performed centrally rather than having the effort replicated over and over again by individual departments. Before this effort, there were hundreds of gov domains being manually monitored by separate departments across those governments -...