Have I Been Pwned

A 153-post collection

Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI

I've got 2 massive things to announce today that have been a long time in the works and by pure coincidence, have aligned such that I can share them together here today. One you would have been waiting for and one totally out of left field. Both these announcements are being made at a time where Pwned Passwords is seeing unprecedented growth: Getting closer and closer to the 1B requests a month mark for @haveibeenpwned's Pwned Passwords. 99.6% of those have come direct from @Cloudflare's cache too 😎 pic.twitter.com/zRRbkhT27P — Troy Hunt (@troyhunt) May 27, 2021 That's significant because the sheer volume of requests greatly amplifies the effectiveness of the announcements below. So,...

Welcoming the Trinidad & Tobago Government to Have I Been Pwned

Today I'm very happy to welcome the first Caribbean government to Have I Been Pwned, Trinidad & Tobago. As of today, the Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) has full and free access to query their government domains and gain visibility into where they've impacted by data breaches. This brings the number of governments to be onboarded to HIBP to 17 and I look forward to welcoming more in the near future....

Welcoming the Swedish Government to Have I Been Pwned

Today I'm very happy to welcome the 16th government to Have I Been Pwned, Sweden. The Swedish National Computer Security Incident Response Team CERT-SE now has full and free access to query all government domains via HIBP's API and gain insights into the impact of data breaches on their government departments. Sweden is now the 4th Scandinavian country I've welcomed onto HIBP and I hope to see many more from other parts of the world join in the future....

Welcoming the Romanian Government to Have I Been Pwned

Today I'm very happy to announce the arrival of the 15th government to Have I Been Pwned, Romania. As of now, CERT-RO has access to query all Romanian government domains across HIBP and subscribe them for future notifications when subsequent data breaches affect aliases on those domains. Romania joins a steadily growing number of governments across the globe to have free and unrestricted access to API-based domain searches for their assets in HIBP. You can read more about government access in the initial post from 2018....

Welcoming the Luxemburg Government CERT to Have I Been Pwned

Continuing my efforts to make more breach data available to governments after data breaches impact their domains, I'm very happy to welcome Luxemburg aboard Have I Been Pwned. More specifically, the CERT of the Grand Duchy of Luxemburg (govcert.lu) now has free API level access to query their national government domains. This now brings the government count to 14 and I look forward to welcoming more national CERTs in the future....

Data From The Emotet Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI and NHTCU

Earlier this year, the FBI in partnership with the Dutch National High Technical Crimes Unit (NHTCU), German Federal Criminal Police Office (BKA) and other international law enforcement agencies brought down what Europol rereferred to as the world's most dangerous malware: Emotet. This strain of malware dates back as far as 2014 and it became a gateway into infected machines for other strains of malware ranging from banking trojans to credential stealers to ransomware. Emotet was extremely destructive and wreaked havoc across the globe before eventually being brought to a halt in February. Following the takedown, the FBI reached out and asked if Have I Been Pwned (HIBP) might be a viable means of alerting impacted individuals and companies that their...

Welcoming the Ukrainian Government to Have I Been Pwned

Another month, another national government to bring onto Have I Been Pwned. This time it's the Ukrainian National Cybersecurity Coordination Center who now has access to monitor all their government domains via API domain search, free of charge. Ukraine is now the 13th government to be onboarded to HIBP's service joining counterparts across Europe, North America and Australia....

The Facebook Phone Numbers Are Now Searchable in Have I Been Pwned

The headline is pretty self-explanatory so in the interest of time, let me just jump directly into the details of how this all works. There's been huge interest in this incident, and I've seen near-unprecedented traffic to Have I Been Pwned (HIBP) over the last couple of days, let me do my best to explain how I've approached the phone number search feature. Or if you're impatient, you can head over to HIBP right now and search for your number. What's Changed?I'd never planned to make phone numbers searchable and indeed this User Voice idea sat there for over 5 and a half years without action. My position on this was that it didn't make sense for a bunch...

Home Assistant, Pwned Passwords and Security Misconceptions

Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter I've come to love as I've embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently: always something... now you are in my @home_assistant setup also :) Thanks @troyhunt pic.twitter.com/4d4Qxnlazl — Jón Ólafs (@jonolafs) March 3, 2021 Awesome! Pwned Passwords is a repository of 613M passwords exposed in previous data breaches, which makes them very poor choices for future use. They're totally free and they have a really cool anonymity API that ensures no useful information about the password being searched for is ever exposed....

Gab Has Been Breached

I've investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months as an alternative to mainstream incumbent platforms such as Twitter and Facebook and drawing a crowd primarily focused on right wing American politics. A couple of days ago, I posted a thread about their alleged breach. I want to go back through that thread here, explain the thinking further and then provide some commentary on the actual data that was exposed. It all began here: So, the @getongab data breach...