Story image

Breach checking website Have I Been Pwned is up for grabs

13 Jun 2019

The man behind the popular breach checking website Have I Been Pwned is stepping down from his esteemed post as sole manager of the site, and although he wants the site to grow, he doesn’t know exactly what the future will hold.

Australia-based Troy Hunt, who is well-known in security circles and recognised by Microsoft, created Have I Been Pwned (HIBP) back in 2013 as a response to increasingly serious data breaches or the time, such as the Sony Pictures breach.

HIBP allows anyone to type in their email address or password and find out if they have been compromised in a data breach. As of June 13 2019, the site has caught more than 7.8 billion breached accounts from companies such as LinkedIn, MySpace, and Dubsmash.

However, Hunt admits that sourcing and compiling databases of compromised content has been ‘enormously stressful’ as HIBP grew.

“Sure, I can handle billions of breached records and single-handedly run a massive online data breach services that’s been used by hundreds of millions of people, but this was a whole different ballgame. It was time to get help,” he writes in a blog.

Hunt, who has been in talks with enterprises including KPMG about a possible acquisition, says that he simply hasn’t had time to consider what HIBP could do. “It was time for HIBP to grow up,” he says.

Hunt and KPMG came up with a project name, called ‘Project Svalbard’. Both teams will work together to find a company that could be suitable for taking on HIBP.

“There are some very serious discussions to be had: where HIBP would fit into the organisation, how they'd help me achieve those bullet-pointed objectives above and frankly, whether it's the right place for such a valuable service to go. There are also some major personal considerations for me including who I'd feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing,” Hunt writes.

He notes that people have asked why he can’t fund HIBP himself, utilise venture capitalists, and hire new people, however he does not want to commit to that burden.

He admits that if HIBP is acquired by another company, he doesn’t know what that will mean for the site; however he does have strong thoughts about it.  

He writes:

1.    “Freely available consumer searches should remain freely available. The service became this successful because I made sure there were no barriers in the way for people searching their data and I absolutely, positively want that to remain the status quo. That's number 1 on the list here for a reason.

2.    I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.

3.    I want to build out much, much more capabilities wise. There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward.

4.    I want to reach a much larger audience than I do at present. The numbers are massive as they are, but it's still only a tiny slice of the online community that's learning of their exposure in data breaches.

5.    There's much more that can be done to change consumer behaviour. Credential stuffing, for example, is a massive problem right now and it only exists due to password reuse. I want HIBP to play a much bigger role in changing the behaviour of how people manage their online accounts.

6.    Organisations can benefit much more from HIBP. Following on from the previous point, the services people are using can do a much better job of protecting their customers from this form of attack and data from HIBP can (and for some organisations, already does) play a significant role in that.

7.    There should be more disclosure - and more data. I mentioned earlier how responsible disclosure was massively burdensome and Svalbard gives me the chance to fix that. There's a whole heap of organisations out there that don't know they've been breached simply because I haven't had the bandwidth to deal with it all.”

Story image
12 Dec
StorageCraft report suggests firms need a 'ransomware reality check'
68% of respondents have a ransomware recovery plan, yet almost a quarter (23%) don’t test those plans, and 46% test them once a year or less.More
Story image
26 Dec
Citrix flaw puts 80,000 companies at risk
"Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat."More
Story image
18 Dec
Security teams could be slowing down DevOps, survey shows
Venafi has released the findings of its latest survey, revealing 75% of DevOps professionals say certificate issuance policies slow them down.More
Story image
01 Jan
Endace expands channel partners globally, experiences significant growth
Endace has announced global growth in the packet capture market, and the importance of packet capture as a key source of data for network security, is contributing to significant growth of the company.More
Story image
19 Dec
BitSight enhances fourth-party risk management solution
BitSight for Fourth-Party enables customers to identify areas of business and cyber risk. It does this by automatically pinpointing connections between any organisation, its business partners, and potentially risky fourth parties.More
Story image
16 Jan
Sophos launches Intercept X for mobile
New security for Chrome OS and mobile threat defence for Android and iOS devices protects users from new fleeceware applications uncovered by SophosLabs. More