Mastodon

Have I Been Pwned

A 171-post collection

I Wanna Go Fast: How Many Pwned Password Queries Can You Make Per Second?

I feel the need, the need for speed. Faster, Faster, until the thrill of speed overcomes the fear of death. If you're in control, you're not going fast enough. And so on and so forth. There's a time and a place for going fast, and there's no better place to do that than when querying Have I Been Pwned's Pwned Passwords service. (Ok, a lot less glamorous than the context of the previous statements, but also less likely to have a catastrophic outcome.) In December last year, Pwned Passwords sa...

Welcoming the New Zealand Government to Have I Been Pwned

Continuing the march forward to provide governments with better access to their departments' data exposed in breaches [https://www.troyhunt.com/the-uk-and-australian-governments-are-now-monitoring-their-gov-domains-on-have-i-been-pwned/] , I'm very pleased to welcome the 28th national government onto Have I Been Pwned - New Zealand! They'll join the other govs around the world that have complete free access to breach information impacting their gov domains and TLDs. You'll see more national gov...

How I Got Pwned by My Cloud Costs

I have been, and still remain, a massive proponent of "the cloud". I built Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) as a cloud-first service that took advantage of modern cloud paradigms such as Azure Table Storage to massively drive down costs at crazy levels of performance I never could have achieved before. I wrote many blog posts about doing big things for small dollars [https://www.troyhunt.com/serverless-to-the-max-doing-big-things-for-small-dollars-with-cloudflare-workers-an...

Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live!

In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API [https://haveibeenpwned.com/Passwords]. 99.7% of the time, that check went no further than one of hundreds of Cloudflare edge nodes [https://www.cloudflare.com/network/] spread around the world (95% of the world's population is within 50ms of one). It looks like this: There are all sorts of amazing Pwned Passwords use cases out there. For e...

When is a Scrape a Breach?

A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car [https://www.doj.nh.gov/consumer/security-breaches/documents/pfizer-20110610.pdf] . The machine had full disk encryption and it's not known whether the thief was ever actually able to access the data. It's not clear if the car was locked or not. Is this a data breach? Some years later, an outsourcing provider of the Aus...

Merry #pwnedmas!

Like most of my good ideas, this one came completely by accident. The other day I was packaging up some swag to send to the winner of my impromptu best "Anonymous" meme competition [https://twitter.com/troyhunt/status/1455137628370575362] and I decided to share the following tweet: > Time to ramp up the 3D @haveibeenpwned [https://twitter.com/haveibeenpwned?ref_src=twsrc%5Etfw] printing too, been giving away a heap of these! pic.twitter.com/ffZpM5aZtx [https://t.co/ffZpM5aZtx] — Troy Hunt (@tr...

Welcoming the Czech Republic Government to Have I Been Pwned

For the last few years, I've been welcoming national governments to Have I Been Pwned (HIBP) and granting them full and free access to domain-level searches via a dedicated API. Today, I'm very happy to welcome the Czech Republic's National Cyber and Information Security Agency who can now query their government domains along with the 26 other nations that have come before them. Data breaches impact all of us in one way or another, and government agencies are no exception. My hope is that in su...

Welcoming the Turkish Government to Have I Been Pwned

Today I'm very happy to welcome the national Turkish CERT to Have I Been Pwned, TR-CERT or USOM, the National Cyber ​​Incident Response Center. They are now the 26th government to have complete and free API level access to query their government domains. Providing governments with greater visibility into the impact of data breaches on their staff helps protect against all manner of online attacks. I'm looking forward to welcoming more national governments onto HIBP in the future....

Welcoming the Israeli Government to Have I Been Pwned

Marking the 25th national CERT to have full and free API level access to in HIBP, I'm very happy to welcome CERT-IL in the Israel National Cyber Directorate (INCD) on board. They join many other governments around the world in having access to data impacting their departments amongst the more than 11 billion records already in HIBP, and inevitably the billions yet to come. I'm really encouraged to see the amount of enthusiasm expressed by national government defenders to gain access to breach d...

Welcoming the Dutch Government to Have I Been Pwned

Today I'm very happy to welcome the Dutch government to HIBP, marking 24 national CERTs that now have full and free access to API level domain searches. The Nationaal Cyber Security Centrum of the Netherlands (NCSC-NL) now has access to monitor the exposure of government departments across all the data breaches that make their way into HIBP. Visibility into the impact of data breaches helps defenders protect national assets and I'm very pleased to see the Netherlands join so many other nations...