Have I Been Pwned

In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API [https://haveibeenpwned.com/Passwords]. 99.7% of the time, that check went no further than one of hundreds of Cloudflare edge nodes [https://www.cloudflare.com/network/] spread around the world (95% of the world's population is within 50ms of one). It looks like this: There are all sorts of amazing Pwned Passwords use cases out there. For e...

A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car [https://www.doj.nh.gov/consumer/security-breaches/documents/pfizer-20110610.pdf] . The machine had full disk encryption and it's not known whether the thief was ever actually able to access the data. It's not clear if the car was locked or not. Is this a data breach? Some years later, an outsourcing provider of the Aus...

Like most of my good ideas, this one came completely by accident. The other day I was packaging up some swag to send to the winner of my impromptu best "Anonymous" meme competition [https://twitter.com/troyhunt/status/1455137628370575362] and I decided to share the following tweet: > Time to ramp up the 3D @haveibeenpwned [https://twitter.com/haveibeenpwned?ref_src=twsrc%5Etfw] printing too, been giving away a heap of these! pic.twitter.com/ffZpM5aZtx [https://t.co/ffZpM5aZtx] — Troy Hunt (@tr...

For the last few years, I've been welcoming national governments to Have I Been Pwned (HIBP) and granting them full and free access to domain-level searches via a dedicated API. Today, I'm very happy to welcome the Czech Republic's National Cyber and Information Security Agency who can now query their government domains along with the 26 other nations that have come before them. Data breaches impact all of us in one way or another, and government agencies are no exception. My hope is that in su...

Today I'm very happy to welcome the national Turkish CERT to Have I Been Pwned, TR-CERT or USOM, the National Cyber ​​Incident Response Center. They are now the 26th government to have complete and free API level access to query their government domains. Providing governments with greater visibility into the impact of data breaches on their staff helps protect against all manner of online attacks. I'm looking forward to welcoming more national governments onto HIBP in the future....

Marking the 25th national CERT to have full and free API level access to in HIBP, I'm very happy to welcome CERT-IL in the Israel National Cyber Directorate (INCD) on board. They join many other governments around the world in having access to data impacting their departments amongst the more than 11 billion records already in HIBP, and inevitably the billions yet to come. I'm really encouraged to see the amount of enthusiasm expressed by national government defenders to gain access to breach d...

Today I'm very happy to welcome the Dutch government to HIBP, marking 24 national CERTs that now have full and free access to API level domain searches. The Nationaal Cyber Security Centrum of the Netherlands (NCSC-NL) now has access to monitor the exposure of government departments across all the data breaches that make their way into HIBP. Visibility into the impact of data breaches helps defenders protect national assets and I'm very pleased to see the Netherlands join so many other nations...

Today I'm very happy to welcome the 23rd national government to Have I Been Pwned, the Slovak Republic. As of now, CSIRT.sk has full and free access to query all their government domains via an API that returns all their email addresses impacted by each data breach in HIBP. Granting governments this level of access gives them visibility into not just the 11.4 billion records that are already in HIBP but provides an early warning system for the billions of records yet to come. I look forward to...

Recently, I've been providing a lot of additional government access to Have I Been Pwned. Today I'm happy to welcome the Jamaica Cyber Incident Response Team (JaCIRT), the 22nd national CERT on HIBP and 11th in the last 4 months. They now have full and free API level access to query all government domains belonging to the Caribbean nation. I'm encouraged by the enthusiasm I'm seeing from governments to use breach data in positive ways that help protect their departments and I look forward to we...

Today I'm very happy to welcome the Finnish government to Have I Been Pwned by granting their National Cyber Security Centre full and free access to query their government domains. API access to query their domains will give them greater visibility into the impact of data breaches on the Finnish government. Finland is now the 5th Nordic country and 21st national CERT to be onboarded with many more from around the globe to be announced shortly....