Have I Been Pwned

One of the things I'm finding with running Have I been pwned [https://haveibeenpwned.com/] (HIBP) is that over time, my approach is changing. Nothing dramatic thus far, usually just what I'd call "organic" corrections in direction and usually in response to things I've learned, industry events or changes in the way people are using the service. For example, the Ashley Madison hack led to the concept of a sensitive breach [https://www.troyhunt.com/heres-how-im-going-to-handle-ashley/] which meant...

Let me make it crystal clear in the opening paragraph: this incident is not about any sort of security vulnerability on GitHub's behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service. My data. Probably your data if you're in the software industry. Millions of people's data. On Saturday, a character in the data trading scene popped up and sent me a 594MB file called geekedin.net_mirr...

I have multiple Yahoo data breaches. I have a Twitter data breach. I have Facebook data breaches. I know they are data breaches from those sources because people told me they are, ergo, they're data breaches. Except they're not - they're all fake. Problem is though, fake data breaches don't make for a very good headline nor do they give you something worth trading; for many people, it's not in their best interests to establish what's fake and what's not. Earlier this year I wrote about how I ve...

We're now going on almost 3 years since I introduced the Have I been pwned (HIBP) API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/]. In fact it was one of the first things I did after creating HIBP in the first place because I wanted to make the data as accessible as possible and create an ecosystem of third party apps. However, over time I've also had to deal with the API being used in ways I never intended. For example, I recently introduced the rate limit [https://www.tro...

I wrote recently about how Have I been pwned (HIBP) had an API rate limit introduced and then brought forward [https://www.troyhunt.com/content-images-2016-09-a-one-week-traffic-snapshot-1-png/] which was in part a response to large volumes of requests against the API. It was causing sudden ramp ups of traffic that Azure couldn't scale fast enough to meet and was also hitting my hip pocket as I paid for the underlying infrastructure to scale out in response. By limiting requests to one per every...

Three weeks ago today, I wrote about implementing a rate limit on the Have I been pwned (HIBP) API [https://www.troyhunt.com/the-have-i-been-pwned-api-rate-limiting-and-commercial-use/] and the original plan was to have it begin a week from today. I want to talk more about why the rate limit was required and why I've had to bring it forward to today. As I explained in the original post, there were multiple reasons for the rate limit including high volumes of API calls impacting system performan...

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked [http://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts] . Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records. Very shortly after, a supporter of Have I been pwned [https://haveibeenpwned.com] (HIBP) sent over the data which o...

It's almost 3 years ago now that I launched the Have I been pwned (HIBP) API [https://www.troyhunt.com/have-i-been-pwned-you-can-now-ask-api/] and made it free and unlimited. No dollars, no rate limits just query it at will and results not flagged as sensitive [https://haveibeenpwned.com/FAQs#SensitiveBreach] will be returned. Since then it's been called, well, I don't know how many times but at the least, it's well into the hundreds of millions if not billions. I've always been pretty clear on...

This question in the title of this post comes up after pretty much every data breach I load so I thought I'd answer it here once and for all then direct inquisitive Have I been pwned (HIBP) users when confusion ensues in the future. Let me outline a number of different root causes for the "why is my data on a site I never signed up to?" question. You forgot you signed up Let's start with the simplest explanation because it's often the correct one - you've simply forgotten you signed up. We leav...

Data breaches can be shady business. There's obviously the issue of sites being hacked in the first place which is not just shady, but downright illegal. Then there's the way this information is redistributed, the anonymous identities that deal with it and the various motives people have for bringing this data into the public eye. One of the constant challenges with the spread of data breaches is establishing what is indeed data hacked out of an organisation versus data from another source. We'...