SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Breach checking website Have I Been Pwned is up for grabs
Thu, 13th Jun 2019
FYI, this story is more than a year old

The man behind the popular breach checking website Have I Been Pwned is stepping down from his esteemed post as sole manager of the site, and although he wants the site to grow, he doesn't know exactly what the future will hold.

Australia-based Troy Hunt, who is well-known in security circles and recognised by Microsoft, created Have I Been Pwned (HIBP) back in 2013 as a response to increasingly serious data breaches or the time, such as the Sony Pictures breach.

HIBP allows anyone to type in their email address or password and find out if they have been compromised in a data breach. As of June 13 2019, the site has caught more than 7.8 billion breached accounts from companies such as LinkedIn, MySpace, and Dubsmash.

However, Hunt admits that sourcing and compiling databases of compromised content has been ‘enormously stressful' as HIBP grew.

“Sure, I can handle billions of breached records and single-handedly run a massive online data breach services that's been used by hundreds of millions of people, but this was a whole different ballgame. It was time to get help,” he writes in a blog.

Hunt, who has been in talks with enterprises including KPMG about a possible acquisition, says that he simply hasn't had time to consider what HIBP could do. “It was time for HIBP to grow up,” he says.

Hunt and KPMG came up with a project name, called ‘Project Svalbard'. Both teams will work together to find a company that could be suitable for taking on HIBP.

“There are some very serious discussions to be had: where HIBP would fit into the organisation, how they'd help me achieve those bullet-pointed objectives above and frankly, whether it's the right place for such a valuable service to go. There are also some major personal considerations for me including who I'd feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing,” Hunt writes.

He notes that people have asked why he can't fund HIBP himself, utilise venture capitalists, and hire new people, however he does not want to commit to that burden.

He admits that if HIBP is acquired by another company, he doesn't know what that will mean for the site; however he does have strong thoughts about it.

He writes:

1.    “Freely available consumer searches should remain freely available. The service became this successful because I made sure there were no barriers in the way for people searching their data and I absolutely, positively want that to remain the status quo. That's number 1 on the list here for a reason.

2.    I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.

3.    I want to build out much, much more capabilities wise. There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward.

4.    I want to reach a much larger audience than I do at present. The numbers are massive as they are, but it's still only a tiny slice of the online community that's learning of their exposure in data breaches.

5.    There's much more that can be done to change consumer behaviour. Credential stuffing, for example, is a massive problem right now and it only exists due to password reuse. I want HIBP to play a much bigger role in changing the behaviour of how people manage their online accounts.

6.    Organisations can benefit much more from HIBP. Following on from the previous point, the services people are using can do a much better job of protecting their customers from this form of attack and data from HIBP can (and for some organisations, already does) play a significant role in that.

7.    There should be more disclosure - and more data. I mentioned earlier how responsible disclosure was massively burdensome and Svalbard gives me the chance to fix that. There's a whole heap of organisations out there that don't know they've been breached simply because I haven't had the bandwidth to deal with it all.