Have I Been Pwned

For the most part, Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) runs very smoothly, especially given how cheaply I run many parts of the service for [https://www.troyhunt.com/serverless-to-the-max-doing-big-things-for-small-dollars-with-cloudflare-workers-and-azure-functions/] . Occasionally though, I screw up and get something wrong that interrupts the otherwise slick operation and results in some outage. Last weekend was one such occasion and I want to explain what I got wrong, how y...

This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned [https://haveibeenpwned.com] (HIBP) without providing more context than what I can in a single short breach description. Here's the story: Kayo.moe [https://kayo.moe/] is a free, public, anonymous hosting service. The operator of the service (Kayo) reached out to me earlier this week and advised they'd noticed a collection of files uploaded to the site which a...

As time has gone by, one of the things I've enjoyed the most in running Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) is seeing how far I could make the dollars stretch. How big can it go whilst at the same time, running it on a shoestring? I keep finding new ways of optimising cost and the two most significant contributions to that since launching almost 5 years ago have come via serverless technology provided by 2 of my favourite tech companies: Cloudflare and Microsoft. By way of (v...

I'm still pretty amazed at how much traction Pwned Passwords [https://haveibeenpwned.com/Passwords] has gotten this year. A few months ago, I wrote about Pwned Passwords in Practice [https://www.troyhunt.com/pwned-passwords-in-practice-real-world-examples-of-blocking-the-worst-passwords/] which demonstrates a whole heap of great use cases where they've been used in registration, password reset and login flows. Since that time, another big name has come on board too [https://blog.github.com/2018...

Two of my favourite developer things these days are Azure Functions [https://www.troyhunt.com/azure-functions-in-practice/] and Cloudflare Workers [https://scotthelme.co.uk/cloudflare-workers-report-uri/]. They're both "serverless" in that rather than running on your own slice of infrastructure, that concept is abstracted away and you get to focus on just code executions rather than the logical bounds of the server it runs on. So for example, when you have an Azure function and you deploy it und...

Over recent weeks, I've begun planning the release of the 3rd version of Pwned Passwords. If you cast your mind back, version 1 came along in August last year [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] and contained 320M passwords. I made all the data downloadable as SHA-1 hashes (for reasons explained in that post) and stood up a basic API to enable anyone to query it by plain text password or hash. Then in Feb, version 2 landed [https://www.troyhunt...

One of the most alarming trends I've seen in the world of data breaches since starting Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) back in 2013 is the rapid rise of credential stuffing [https://www.owasp.org/index.php/Credential_stuffing] attacks. Per the definition in that link, it simply means this: > Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This form of attack relies on a combination...

Pretty much every day, I get a reminder from someone about how little people know about their exposure in data breaches. Often, it's after someone has searched Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and found themselves pwned somewhere or other. Frequently, it's some long-forgotten site they haven't even thought about in years and also frequently, the first people know of these incidents is via HIBP: > large @ticketfly [https://twitter.com/ticketfly?ref_src=twsrc%5Etfw] data bre...

Running Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) has presented some fascinating insights into all sorts of aspects of how data breaches affect us; the impact on the individual victims such as you and I, of course, but also how they affect the companies involved and increasingly, the role of government and law enforcement in dealing with these incidents. Last week I had an all new situation arise related to that last point and I want to explain it properly here so it makes sense if...

Back in August, I pushed out a service as part of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) to help organisations block bad passwords from their online things. I called it "Pwned Passwords" and released 320M of them from real-world data breaches [https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/] via both a downloadable file and an online service. This was in response to NIST's Digital Identity Guidelines [https://www.nist.gov/itl/tig/special-publ...