Troy Hunt: Have I Been Pwned - Troy Hunt (Page 2)

Sponsored by:

Have I Been Pwned

A 98-post collection

The UK and Australian Governments Are Now Monitoring Their Gov Domains on Have I Been Pwned

If I'm honest, I'm constantly surprised by the extent of how far Have I Been Pwned (HIBP) is reaching these days. This is a little project I started whilst killing time in a hotel room in late 2013 after thinking "I wonder if people actually know where their data has been exposed?" I built it in part to help people answer that question and in part because my inner geek wanted to build an interesting project on Microsoft's Azure. I ran it on a coffee budget (the goal was to keep the operating costs under what a couple of cups from a cafe each day would cost) and I made it freely accessible. And then it took off....

I Wanna Go Fast: Why Searching Through 500M Pwned Passwords Is So Quick

In the immortal words of Ricky Bobby, I wanna go fast. When I launched Pwned Passwords V2 last week, I made it fast - real fast - and I want to talk briefly here about why that was important, how I did it and then how I've since shaved another 56% off the load time for requests that hit the origin. And a bunch of other cool perf stuff while I'm here. Why Speed Matters for Pwned Passwords Firstly, read the previous post about k-Anonymity and protecting the privacy of passwords to save me repeating it all here. I've been amazed at how quickly this has been adopted since I pushed it out very early on Thursday morning my time....

I've Just Added 2,844 New Data Breaches With 80M Records To Have I Been Pwned

tl;dr - a collection of nearly 3k alleged data breaches has appeared with a bunch of data already proven legitimate from previous incidents, but also tens of millions of addresses that haven't been seen in HIBP before. Those 80M records are now searchable, read on for the full story: There's an unknown numbers of data breaches floating around the web. There are data breaches we knew of but they just took years to appear publicly (Dropbox, LinkedIn), data breaches we didn't know of that also took years to discover at all (Disqus, imgur) and indeed, data breaches that were deliberately covered up (Lifeboat, Uber). But I suspect the another big slice of data breaches are the ones that both...

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. They then go on to recommend that passwords "obtained from previous breach corpuses" should be disallowed and that the service should "advise the subscriber that they need to select a different secret". This makes a lot of sense when you think about it:...

Streamlining Data Breach Disclosures: A Step-by-Step Process

I don't know how many data breaches I'm sitting on that I'm yet to process. 100? 200? It's hard to tell because often I'm sent collections of multiple incidents in a single archive, often there's junk in there and often there's redundancy across those collections. All I really know is that there's hundreds of gigabytes spread across thousands of files. Sometimes - like in the case of the recent South Africa situation - I could be sitting on data for months that's actually very serious in nature and needs to be brought public awareness. The biggest barrier by far to processing these is the effort involved in disclosure. I want to ensure that any incidents I load into Have I...

Do Something Awesome with Have I Been Pwned and Win a Lenovo ThinkPad!

Current status: The competition has run and been won! Scroll down to the bottom for the result. Friends who follow what I'm up to these days will see that I'm often away from home in far-flung parts of the world. What that means is a lot of time on planes, a lot of time in airports (which is where I'm writing this now) and a lot of time in hotel rooms. Want to know how I churn out so much content? It's using that otherwise wasted down time to do useful things. But to do that, I need to be productive whilst mobile and I owe a lot of that to the machine I use when travelling. Now, to make...

The Ethics of Running a Data Breach Search Service

No matter how much anyone tries to sugar coat it, a service like Have I been pwned (HIBP) which deals with billions of records hacked out of other peoples' systems is always going to sit in a grey area. There are degrees, of course; at one end of the spectrum you have the likes of Microsoft and Amazon using data breaches to better protect their customers' accounts. At the other end, there's services like the now defunct LeakedSource who happily sold our personal data (including mine) to anyone willing to pay a few bucks for it. As far as intent goes, HIBP sits at the white end of the scale, as far to that extreme as I can possibly position...

Inside the Massive 711 Million Record Onliner Spambot Dump

Last week I was contacted by someone alerting me to the presence of a spam list. A big one. That's a bit of a relative term though because whilst I've loaded "big" spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River City Media. The one I'm writing about today is 711m records which makes it the largest single set of data I've ever loaded into HIBP. Just for a sense of scale, that's almost one address for every single man, woman and child in all of Europe. This blog posts explains everything I know about it. Firstly, the guy who contacted me is Benkow...

Introducing 306 Million Freely Downloadable Pwned Passwords

Edit: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern Era with the aim of helping those building services which require authentication to move into the modern era of how we think about protecting accounts. In that post, I talked about NIST's Digital Identity Guidelines which were recently released. Of particular interest to me was the section advising organisations to block subscribers from using passwords that have previously appeared in a data breach. Here's the full excerpt from the authentication & lifecycle management doc (CSP is "Credential Service Provider"): NIST isn't mincing words here,...

Pastes on Have I Been Pwned Are No Longer Publicly Listed

Over the weekend, a Have I Been Pwned (HIBP) subscriber contacted me after they found their Spotify credentials online. It turns out that this particular woman went searching for her specific password after finding "some guy listening to Mexican music from a foreign device on my acct". In the search results, she found a site hosted on Google's Blogger service with troves and troves of Spotify credentials, among others. Now I've seen a lot of lists of "hacked Spotify accounts" in the past and to date, they've always been collated as a result of credential stuffing as opposed to Spotify themselves having been breached. She pointed me to the site with the (obfuscated) content you see...