sb-nz logo
Story image

Breach checking website Have I Been Pwned is up for grabs

13 Jun 2019

The man behind the popular breach checking website Have I Been Pwned is stepping down from his esteemed post as sole manager of the site, and although he wants the site to grow, he doesn’t know exactly what the future will hold.

Australia-based Troy Hunt, who is well-known in security circles and recognised by Microsoft, created Have I Been Pwned (HIBP) back in 2013 as a response to increasingly serious data breaches or the time, such as the Sony Pictures breach.

HIBP allows anyone to type in their email address or password and find out if they have been compromised in a data breach. As of June 13 2019, the site has caught more than 7.8 billion breached accounts from companies such as LinkedIn, MySpace, and Dubsmash.

However, Hunt admits that sourcing and compiling databases of compromised content has been ‘enormously stressful’ as HIBP grew.

“Sure, I can handle billions of breached records and single-handedly run a massive online data breach services that’s been used by hundreds of millions of people, but this was a whole different ballgame. It was time to get help,” he writes in a blog.

Hunt, who has been in talks with enterprises including KPMG about a possible acquisition, says that he simply hasn’t had time to consider what HIBP could do. “It was time for HIBP to grow up,” he says.

Hunt and KPMG came up with a project name, called ‘Project Svalbard’. Both teams will work together to find a company that could be suitable for taking on HIBP.

“There are some very serious discussions to be had: where HIBP would fit into the organisation, how they'd help me achieve those bullet-pointed objectives above and frankly, whether it's the right place for such a valuable service to go. There are also some major personal considerations for me including who I'd feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing,” Hunt writes.

He notes that people have asked why he can’t fund HIBP himself, utilise venture capitalists, and hire new people, however he does not want to commit to that burden.

He admits that if HIBP is acquired by another company, he doesn’t know what that will mean for the site; however he does have strong thoughts about it.  

He writes:

1.    “Freely available consumer searches should remain freely available. The service became this successful because I made sure there were no barriers in the way for people searching their data and I absolutely, positively want that to remain the status quo. That's number 1 on the list here for a reason.

2.    I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.

3.    I want to build out much, much more capabilities wise. There's a heap of things I want to do with HIBP which I simply couldn't do on my own. This is a project with enormous potential beyond what it's already achieved and I want to be the guy driving that forward.

4.    I want to reach a much larger audience than I do at present. The numbers are massive as they are, but it's still only a tiny slice of the online community that's learning of their exposure in data breaches.

5.    There's much more that can be done to change consumer behaviour. Credential stuffing, for example, is a massive problem right now and it only exists due to password reuse. I want HIBP to play a much bigger role in changing the behaviour of how people manage their online accounts.

6.    Organisations can benefit much more from HIBP. Following on from the previous point, the services people are using can do a much better job of protecting their customers from this form of attack and data from HIBP can (and for some organisations, already does) play a significant role in that.

7.    There should be more disclosure - and more data. I mentioned earlier how responsible disclosure was massively burdensome and Svalbard gives me the chance to fix that. There's a whole heap of organisations out there that don't know they've been breached simply because I haven't had the bandwidth to deal with it all.”

Link image
Revealed: The A-Z of mobile workforce security
Ordinary office workers - now home office workers - have never been more at risk of cyber threats. Join this webcast series to hear from experts on how to best protect your business and your staff.More
Download image
How rapidly evolving workforces can bring risk - and how to take it on
The times they are a-changing. Workforces, becoming more diverse, are changing too. Here's how this could be risky for businesses, and what actions could be taken to minimise that risk.More
Story image
VMware reveals plans to acquire Octarine, going all in for Kubernetes
VMware says once the acquisition is completed, Octarine’s integration will provide new security features for containerized applications running in Kubernetes, and will enable security capabilities as part of the fabric of the existing IT and DevOps ecosystems.More
Story image
IDC names Accenture APAC Leader in pro security services
Accenture was recognised as having one of the most comprehensive security advisory and security assessment offerings.More
Story image
Trend Micro debuts dark-web scanning solution to combat identity theft
The solution was born from growing consumer concerns in New Zealand surrounding identity theft – a whopping 78% of Kiwis report concern about being a victim of identity theft, according to Trend Micro’s latest research.More
Story image
40% of APAC consumers have dealt with personal data breaches
The Kaspersky report released today also found out that more than 20% of respondents in APAC are willing to sacrifice their privacy to gain a product or a service for free. More