Have I Been Pwned

I love beer. This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd [https://untappd.com/] account, logging my beer experiences as I (used to 😢) travel around the world partaking in local beverages. When I received an email from someone over that way who happened to be a happy Have I Been Pwned (HIBP) user and wanted some cyber-assistance, I was intrigued. You'll never believe what happened next... The tl;dr is that someone with a BeerAdvoca...

Nearly 7 years ago now, I started a little pet project to index data breaches and make them searchable [https://www.troyhunt.com/introducing-have-i-been-pwned/]. I called it "Have I Been Pwned" and I loaded in 154M breached records which to my mind, was rather sizeable. Time went by, the breaches continued and the numbers rose. A few years later in June 2016 on stage at NDC Oslo, I pushed HIBP through 1B records: > Whoa, we're there, past a billion! There was much applause which I countered wit...

Today, almost one year after the release of version 5 [https://www.troyhunt.com/pwned-passwords-version-5/], I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964‬ (just over 3%). As with previous releases, I've made the call to push the data now simply because there were enough new records to justify the overhead in doing so. Also as with previous releases, version 6 not on...

Pwned again. Damn. That's me who's pwned again because my personal data has just turned up in yet another incident from a source I can't attribute. Less than 3 weeks ago I wrote about The Unattributable "db8151dd" Data Breach [https://www.troyhunt.com/the-unattributable-db8151dd-data-breach/] which, after posting that blog post and a sample of my own data, the community quickly attributed to Covve [https://covve.com/]. My hope is that this blog post helps myself and the 69 million other people...

The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death [https://en.wikipedia.org/wiki/Death_of_George_Floyd] is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted me to tweet this out earlier today: > I'm seeing a bunch of tweets along the lines of "Anonymous leaked the email addresses and passwords of the Minneapolis police" with...

I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know: Back in Feb, Dehashed [https://www.dehashed.com/]reached out to me with a massive trove of data that had been left exposed on a major cloud provider via a publicly accessible Elasticsearch instance. It contained 103,150,61...

Hot on the heels of onboarding the USA government to Have I Been Pwned last month [https://www.troyhunt.com/welcoming-the-usa-government-to-have-i-been-pwned/], I'm very happy to welcome another national government - Iceland! As of today, Iceland's National Computer Security Incident Response Team (CERT-IS [https://www.cert.is/]), now has access to the full gamut of their gov domains for both on-demand querying and ongoing monitoring. As with the USA and Iceland, I expect to continue onboarding...

Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announce the expansion of this initiative to include the USA government by way of their US Cybersecurity and Infrastructure Security Agency (CISA). CISA now has the ability to query US government domains via API and receive not...

Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who collect breaches. Recently, a collection of data allegedly taken from the [your service] was sent to me and I believe there’s a high likelihood your site was indeed hacked. The data consists of an extensive number of recor...

Since launching version 2 of Pwned Passwords with the k-anonymity model [https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/] just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). All sorts of organisations are employing the service to keep passwords from previous data breaches from being used again and subsequently, putting their customers at heightened risk. For example, this just a...