Behind the Scenes at 'Have I Been Pwned'

The founder of the data-breach notification site Have I Been Pwned manages "the largest known repository of stolen data on the planet," reports Australia's public broadcaster ABC, including over 6 billion email address. Yet with no employees, Troy Hunt manages all of the technical and operational aspects single-handedly, and "has ended up playing an oddly central role in global cybersecurity." Troy is very careful with how he handles what he finds. He only collects (and encrypts) the mobile numbers, emails and passwords that he finds in the breaches, discarding the victims' names, physical addresses, bank details and other sensitive information. The idea is to let users find out where their data has been leaked from, but without exposing them to further risk. Once he identifies where a data breach has occurred, Troy also contacts the organisation responsible to allow it to inform its users before he does. This, he says, is often the hardest step of the process because he has to convince them it's legitimate and not some kind of scam itself.

He's not required to give organisations this opportunity, much less persist when they ignore his messages or accuse him of trying to shake them down for money. But there's evidence that this approach is working. Despite the legal grey area he has operated in for a decade now, he's avoided being sued by any of the organisations responsible for the 705 breaches that are now searchable on Have I Been Pwned. These days, major tech companies like Mozilla and 1Password use Have I Been Pwned, and Troy likes to point out that dozens of national governments and law enforcement agencies also partner with his service...

"He's not a company that's audited. He's just a dude on the web," says Jane Andrew, an expert on data breaches at the University of Sydney. "I think it's so shocking that this is where we find out information about ourselves. She says governments and law enforcement have, in general, left it to individuals to deal with the fallout from data breaches... Without an effective global regulator, Professor Andrew says, a crucial part of the world's cybersecurity infrastructure is left to rely on the goodwill of this one man on the Gold Coast.
Thanks to long-time Slashdot reader slincolne for sharing the article.

"Have I Been Pwned"?

[davide marney]

YES

Re:

[myowntrueself]

YES

If you live in a 5-eyes country, its the responsibility of your security and intelligence services to ensure that their intelligence partners are able to pwn you!

Re:

[dohzer]

Unfortunately the headline doesn't include a question mark, so it's not a valid test of Betteridge's law.

Re:

[AmiMoJo]

The name is a bit of a misnomer, because all they actually do is tell you if your email address appeared in a data leak, and if the passwords appear to be properly salted and hashed.

Determining if you have been p0wned or not requires you to know if the account was important or throw-away, and if your password was re-used elsewhere. If you did your security right, it shouldn't really matter if some random website leaked your email address and password.

Hats Off.

[zenlessyank]

Just goes to show who really cares. Ironically, it is just a dude from the internet.

I've noticed, now hopefully others will too. Kudos to you.

Obligatory XKCD

[Visarga]

Obligatory XKCD https://xkcd.com/2347/ [xkcd.com]

Re:

[insnprsn]

Obligatory XKCDs are the best!

Here's the link

[Hoi Polloi]

For anyone who wants a link to click on: https://haveibeenpwned.com/ [haveibeenpwned.com]

Re:

[supremebob]

This service would be a lot more useful if they provided a list of passwords (or at least partial passwords) they collected as part of the breach.

Telling me that the "breach contained e-mail addresses and passwords" isn't all that useful to me, because I have a short e-mail address (First Name and last initial @ gmail.com) and people randomly sign up for shit using my e-mail address all the time. Some of it seems accidental (like receipts for purchases), while others are phishing attempts and salespeople wh

Re: Here's the link

[Junta]

I have downloaded their password database before. You have to apply one way crypt rather than just grepping, but it's not too hard to make something to do the hash and search the hashes for the password.

You don't know which username goes to which password, but if your password appears then it's unsafe no matter what.

Re:

[C18H27NO3]

That's why I like having my own domain.

* If prompted for an address just make something up, with the name referencing the purpose, (e.g. forslashdot@example.com)
* Unique email address for any site/other purpose. Since they're unique to any entity you know exactly who got breached.
* With a catch-all you can make up addresses to use but don't actually have to create the addresses on your end because you'll just get the emails.
* You can reply with that unique address in kind, even though that address doesn't

Re:

[AmiMoJo]

Your browser can check if your password was part of a leak using the haveibeenpwned service. Chrome has it built into its password manager, and so does Firefox. Of course, you have to let them remember your password for it to work.

The fact that your particular password was leaked is largely irrelevant though, if you are doing the sensible thing and having a unique random password for every website. At worst that one website was compromised, and even if your password wasn't part of the leak it would be prude

Re:

[supremebob]

That's the point that I'm trying to make. MY password didn't get owned, someone else's did. This makes sense, because if I'm being a jerk and making a throwaway account with someone else's e-mail address, I'm probably not going to put any real effort in making it unique.

Re:

[Toad-san]

And DO check out the list of web sites and companies that have been breached. Damn, I'm not even through the "A's" yet, and I'm already disgusted :-( And yes, of course my own email address has been compromised. Undoubtedly that's where all the spam is coming from :-(

Seems like a great tool for criminals

[Baron_Yam]

If nobody is watching the queries and reporting unusual activity... this system seems like a great way for criminals to tell if anyone is yet aware they've stolen specific credentials.

Why not check with this site just before you use what you've stolen, and perhaps save yourself some trouble?

Re:

[test321]

What the website does is to collect dumps that are available on known darknet forums. This website does not have any information that would not already be known to the criminals who performed the hack then posted the dump (as a retaliation when the victim company refused to pay the ransom).

Re:

[bloodhawk]

The site collects data and dumps that are already in the public space which if they are their then you have to assume the company is aware of it. The real value of such data is not for use against the place it was stolen from anyway, it is most users are fucking morons and reuse passwords and email accounts everywhere so it doesn't matter whether the company you stole it from is aware as the other 50 places with the same password and user name won't be aware.

not the only one

[awwshit]

How many others collect the same info and do not throw away the PII?

We've all been pwned.

I checked mine

[ShooterNeo]

17! fucking companies, most of them not small outfits, leaked my fucking data. LinkedIn and Epic Games being among them.

It was useful long ago.

[battingly]

Once upon a time it was noteworthy to learn that your email address had been exfiltrated in a breach. Now days it would only be noteworthy if it wasn't.