Have I Been Pwned

A 129-post collection

Enhancing Pwned Passwords Privacy with Padding

Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). All sorts of organisations are employing the service to keep passwords from previous data breaches from being used again and subsequently, putting their customers at heightened risk. For example, this just a couple of days ago: This is cool: @identityauto is integrating @haveibeenpwned's Pwned Passwords into their RapidIdentity product. Very slick! pic.twitter.com/64d9p8hQq6 — Troy Hunt (@troyhunt) March 3, 2020 The anonymity implementation means consumers of the service can hit the API without disclosing what password is actually...

Project Svalbard, Have I Been Pwned and its Ongoing Independence

This is going to be a lengthy blog post so let me use this opening paragraph as a summary of where Project Svalbard is at: Have I Been Pwned is no longer being sold and I will continue running it independently. After 11 months of a very intensive process culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the deal infeasible. It wasn't something I could have seen coming nor was it anything to do with HIBP itself, but it introduced a range of new and insurmountable barriers. So that's the tl;dr, let me now share as much as I can about...

Handling Huge Traffic Spikes with Azure Functions and Cloudflare

Back in 2016, I wrote a blog post about the Martin Lewis Money Show featuring HIBP and how it drove an unprecedented spike of traffic to the service, ultimately knocking it offline for a brief period of time. They'd given me a heads up as apparently, that's what the program has a habit of doing: I Just wanted to get in contact to let you know we're featuring 'have I been pwned?' on the programme next week (Monday 28 Nov, 8pm, ITV) saying it's a good way to check if your data has been compromised. I thought it best to let you know in case you need to put extra resources onto it, we do have a tendency to...

Donating BAT to Have I Been Pwned with Brave Browser

I don't know exactly why the recent uptick, but lately I've had a bunch of people ask me if I've tried the Brave web browser. Why they'd ask me that is much more obvious: Brave is a privacy-focused browser that nukes ads and trackers. It also has some cool built-in stuff like the ability to create a new private browsing window in Tor rather than just your classic incognito window that might ditch all your cookies and browsing history but still connect to the internet directly from your own IP address. But the thing that's really caught the attention of the people I've been speaking to is Brave Rewards which is an innovative way of simultaneously eschewing traditional ads whilst...

Welcoming the Danish Government to Have I Been Pwned

In a continued bid to make breach data available to the government departments around the world tasked with protecting their citizens, I'm very happy to welcome the first country onto Have I Been Pwned for 2020 - Denmark! The Danish Centre for Cyber Security (CFCS) joins the existing 7 governments who have free and unbridled API access to query and monitor their gov domains. As the year progresses, I'll keep onboarding additional governments to help consolidate existing searches their departments have been independently running and provide greater visibility at a national level....

When Is Data "Public"? (And 2.5M Public Factual Records in HIBP)

When is data "public"? And what does "public" even mean? Does it mean it's merely visible to the public? Or does it mean the public can do anything they like with it? This discussion comes up time and time again as it did with the huge leak of PDL data only last month. For the most part, the impacted data in this incident came from LinkedIn, a service where by design we (including myself) publish personal information about ourselves for public consumption. So what's the problem? Willingly publishing your personal data online in a specific context is one thing, an organisation then taking it providing it another context is... unsettling: To be clear, all of this info must have been...

Welcoming the Swiss Government to Have I Been Pwned

I recently had the pleasure of spending a few days in Switzerland, firstly in Geneva visiting (and speaking at) CERN followed by a visit to the nation's capital, Bern. There I spent some time with a delegation of the National Cybersecurity Centre discussing the challenges they face and where HIBP can play a role. Continuing the march forward to provide governments with better access to their departments' data exposed in breaches, I'm very pleased to welcome Switzerland as the 7th national government onto Have I Been Pwned! They'll join the other govs in Europe and Australia and have complete free and direct API access to all the breached addresses appearing on their government domains. I expect to keep on-boarding further...

Data Enrichment, People Data Labs and Another 622M Email Addresses

Until this month, I'd never heard of People Data Labs (PDL). I'd certainly heard of the sector they operate in - "Data Enrichment" - but I'd never heard of the company itself. I've become more familiar with this sector over recent years due to the frequency with which it's been suffering data breaches that have ultimately landed in my inbox. For example, there's Dun & Bradstreet's NetProspex which leaked 33M records in 2017, Exactis who had 132M records breached last year and the Apollo data breach which exposed 126M accounts, one of which was my own. When Vinny Troia recently reached out after he and Bob Diachenko and sent me a massive set of data allegedly originating from PDL, I...

Welcoming the Norwegian Government to HIBP

Over the last couple of years, I've been increasingly providing governments with better access to their departments' data exposed in breaches by giving them free and unfettered API access to their domains. As I've been travelling around the world this year, I've been carving out time to spend with governments to better understand the infosec challenges they're facing and the role HIBP can play in helping them tackle those challenges. During my time in Norway, that included spending time with their National Cyber Security Centre in Oslo. Today, I'm very happy to welcome Norway as the 6th national government onto Have I Been Pwned! You'll see more national governments come on board in the near future but for now, it's...

Welcoming the Irish Government to Have I Been Pwned

Over the last year and a bit I've been working to make more data in HIBP freely available to governments around the world that want to monitor their own exposure in data breaches. Like the rest of us, governments regularly rely on services that fall victim to attacks resulting in data being disclosed and just like the commercial organisations monitoring domains on HIBP, understanding that exposure is important. To date, the UK, Australian, Spanish and Austrian governments have come onboard HIBP for nation-wide government domain monitoring and today, I'm happy to welcome the Irish government as well. They now have access to all .gov.ie domains and a handful of other government ones on different TLDs. A big welcome to...