The Biggest Data Breach Archive On the Internet Is For Sale

Troy Hunt, the owner and founder of the well-known and respected data breach notification website "Have I Been Pwned," announced today that he's actively looking for a buyer.

"To date, every line of code, every configuration and every breached record has been handled by me alone. There is no 'HIBP team,' there's one guy keeping the whole thing afloat," Hunt wrote. "It's time for HIBP to grow up. It's time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that's able to do way more than what I ever could on my own." Motherboard reports: Over the years, Have I Been Pwned has become the repository for data breaches on the internet, a place where users can search for their email address and see whether they have been part of a data breach. It's now also a service where people can sign up to get notified whenever their accounts get breached. It's perhaps the most useful, free, cybersecurity service in the world. Hunt said he's already had informal conversations with some organizations that might be interested in buying the service. Hunt said he's engaged the financial consulting firm KPMG to look for a buyer.

In the post, Hunt shared some staggering numbers that explain just how big Have I Been Pwned has become: 8 billion breached records, nearly 3 million people subscribed to notifications, who have been emailed about a breach 7 million times, 150,000 unique visitors to the site on a normal day, 10 million on an abnormal day. Regardless of who buys the site, Hunt made a series of commitments on the future of Have I Been Pwned: searches should remain free for consumers, the platform should expand and grow, and, finally, he wants to stay involved in some capacity.

Re: FTFY

[cyber-vandal]

Nothing. This person has a bad case of OMB (Orange Man Bad) that has stripped them of all rational thought and has instilled an irrational hatred of gay men.

Re: FTFY

[cyber-vandal]

Why do you hate gay men so much?

Re: FTFY

[cyber-vandal]

You use that homophobic slur constantly so you clearly hate gay men. I'm not a US citizen so I can't be a traitor to the US but you're going to be very disappointed if you think all the nasty Trump supporters are going to jail.

Re: FTFY

[cyber-vandal]

What's strong and tough about anonymously throwing homophobic slurs on the internet at people you don't know.

Re: FTFY

[cyber-vandal]

Start shouting that word at any left-leaning convention and see what happens. Or do it at work and see how quickly you end up being disciplined. You have a choice of many insults but you chose the one that implies that homosexuality is bad. Ergo you are a homophobic potty-mouthed child, no better than a lot of the people you hate.

Lots of companies could run such a site.

[Anonymous Coward]

But only very few I would trust. I would never submit my email address to any site owned by Google, Facebook or Microsoft for example.

Mozilla would probably be the best choice.

Re:

[AmiMoJo]

I wonder if there are privacy implications. The databases likely contain a lot of personal information. Real names, DoB, email addresses etc.

Not sure what the laws are in Australia, but there are GDPR implications here.

Re:

[doesnothingwell]

My least favorite security company choice would be Symantec, so many bad things, so many bad things.

Re: Googlie gonna git it

[Anonymous Coward]

And do to it what they did to DejaNews.

Sort of like the guy in seven with all the pine tree scent. That is what google groups is like.

Without transparency it is nothing

[Kernel Kurtz]

That the important point the founder brought to the table. Tons of companies will happily buy this for its perceived commercial value, and it will be sketchy forever after.

Re:

[AmiMoJo]

Hopefully Troy will only sell to someone reputable. Google uses the database, as well as a number of other security focused companies.

The only issue I can see is GDPR compliance. Any big company will be affected by GDPR and the leaked data likely contains PI.

Commitments, hey

[martinX]

1. The buyer will squeeze him out within 6 months. 12 tops.
2. The buyer will start making deals with companies that have suffered breaches to keep their breach quiet. For a while. For a fee.
3. The platform will stagnate.

Re:

[Anonymous Coward]

exactly this! he went and talked to M&A people at KPMG, of course they are going to sell him on the idea that his commitments will actually mean something after what he hopes is a merger between his company and some other company. His commitments mean squat if its an acquisition and they dont really hold up in the case of a merger either as a more powerful entity that he is merging with can easily squeeze him out if they feel like his presence is standing in the way of more profits.

Pay attention people,

Pretty impressive

[grilled-cheese]

It's a testament to his ability to keep it alive and thriving by himself this long at that scale for something this important.

Re:

[AmiMoJo]

I'm surprised he couldn't find anyone to pay him. Lots of companies use his database, e.g. Lastpass and Google both use it to warn against using leaked passwords. Surely between them they could throw him a few bucks, enough to hire someone to manage the system.

Money

[Fusen]

Unfortunately when money starts to get involved things go down hill.

If someone buys this then they are going to realistically want some sort of return on the investment and when they want money back then the end user will start to lose things.

You can argue that someone has to pay for these things and nothing in life is free but it's simply the case that as soon as people view something as a way to make money then users suffer.

I know a good buyer...

[panja]

This sounds like a job for Mozilla. Considering they're already using the list..