Have I Been Pwned

I hit a bit of a milestone last week with HIBP which I thought deserved a little celebration: > Sometime today, @haveibeenpwned [https://twitter.com/haveibeenpwned] broke through the 1M verified subscriber mark. Having a quiet champagne alone before flying home ?? pic.twitter.com/whIss3OXeO [https://t.co/whIss3OXeO] — Troy Hunt (@troyhunt) February 2, 2017 [https://twitter.com/troyhunt/status/827214872119226368] A million verified subscribers (that is they've received a welcome email and click...

I've written before about how I verify data breaches [https://www.troyhunt.com/heres-how-i-verify-data-breaches/] and discussed it at length in various conference talks. I take verification very seriously because misattribution can have serious consequences on the company involved, those in the alleged breach and indeed, on myself as well. To give you a sense of how much effort can go into verification, last month I wrote about a data breach investigation blow by blow [https://www.troyhunt.com/a...

Yesterday, the website known as "LeakedSource" went offline. It's still early days and there's not yet an official word on exactly what happened, but the unfolding story seems to be as follows [http://www.zdnet.com/article/breach-site-leakedsource-raided-by-feds/]: > Yeah you heard it here first. Sorry for all you kids who don't have all your own Databases. Leakedsource is down forever and won't be coming back. Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leake...

Someone has just sent me a data breach. I could go and process the whole thing, attribute it to a source, load it into Have I been pwned [https://haveibeenpwned.com] (HIBP) then communicate the end result, but I thought it would be more interesting to readers if I took you through the whole process of verifying the legitimacy of the data and pinpointing the source. This is exactly the process I go through, unedited and at the time of writing, with a completely unknown outcome. Warning: This one...

The title says it all and the details are on their blog [https://blog.ethereum.org/2016/12/19/security-alert-12192016-ethereum-org-forums-database-compromised/] , but there's still a lot to talk about. Self-submission to HIBP is not a new thing (TruckersMP was the first back in April [https://www.troyhunt.com/100-data-breaches-later-have-i-been-pwned-gets-its-first-self-submission/] ), but it's extremely unusual as here you have an organisation saying "we got hacked, we'd now like you to make th...

Trust is a really difficult thing to define. Think about it in the web security context - how do you "trust" a site? Many people would argue that trust decisions are made on the familiarity you have with the brand, you know, brands like LinkedIn, Dropbox, Adobe... who've all had really serious data breaches. Others will look for the padlock in the address bar and imply by its presence that the site is trustworthy... without realising that it makes no guarantees about the security profile of the...

Content security policies [https://www.troyhunt.com/understanding-csp-the-video-tutorial-edition/] (CSPs) can be both a blessing and a curse. A blessing because they can do neat stuff like my recent piece on upgrading insecure requests [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/] yet a curse because they can also do screwy things like break your site [https://www.troyhunt.com/how-to-break-your-site-with-content/]. Now in fairness, the breaking bit linked to t...

I get a lot of requests from people for data from Have I been pwned [https://haveibeenpwned.com/] (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been "no", I'm not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you [https://www.t...

Earlier today, Have I been pwned [https://haveibeenpwned.com/] (HIBP) appeared on a British TV show called The Martin Lewis Money Show [http://www.moneysavingexpert.com/]. A producer had contacted me about this last week: > I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov, 8pm, ITV) saying it's a good way to check if your data has been compromised. I thought it best to let you know in case you need to put extra resour...

It's hard to believe it, but Sunday 4 December will mark 3 years since I launched Have I been pwned [https://www.troyhunt.com/introducing-have-i-been-pwned/]. A huge amount has happened in that time, not just for HIBP but for the industry and indeed for me personally. I certainly didn't expect it to become what it is, not in terms of the amount of data or the number of people visiting and subscribing and certainly not the media attention it's drawn from all over the world. That's posed some real...