A decade and a bit ago during my tenure at Pfizer, a colleague's laptop containing information about customers, healthcare providers and other vendors was stolen from their car. The machine had full disk encryption and it's not known whether the thief was ever actually able to ac … | Continue reading
In the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against Have I Been Pwned's (HIBP's) Pwned Password API. 99.7% of the time, that check went no further than one of hundreds of Cloudflare edge nodes spread around the world (95% | Continue reading
When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago, I had a nightmare of a time getting in touch with the company. They'd left a MongoDB instance exposed to the public without a password and someone had snagged all their data. | Continue reading
111 years ago almost to the day, a murder was committed which ultimately led to the first criminal trial to use fingerprints as evidence. We've all since watched enough crime shows to understand that fingerprints are unique personal biometric attributes and to date, no two people … | Continue reading
The greatest gift I can give my kids is a love of technology. I mean after all the usual Maslow's hierarchy of needs stuff, of course, the thing that I (and many of my readers) can instil in our kids is a deep passion for this life-altering and possibly career-defining | Continue reading
When the Ashley Madison data breach occurred in 2015, it made headline news around the world. Not just infosec headlines or tech headlines, but the headlines of major consumer media the likes my mum and dad would read. What was deemed especially newsworthy was the presence of ema … | Continue reading
I've spent more time IoT'ing my house over the last year than any sane person ever should. But hey, it's been strange times for all of us and it's kept me entertained whilst no longer travelling. Plus, it's definitely added to our lives in terms of the things it enables | Continue reading
I've got 2 massive things to announce today that have been a long time in the works and by pure coincidence, have aligned such that I can share them together here today. One you would have been waiting for and one totally out of left field. Both these announcements are | Continue reading
The headline is pretty self-explanatory so in the interest of time, let me just jump directly into the details of how this all works. There's been huge interest in this incident, and I've seen near-unprecedented traffic to Have I Been Pwned (HIBP) over the last couple of days, le … | Continue reading
If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading | Continue reading
Two of my favourite things these days are Have I Been Pwned and Home Assistant. The former is an obvious choice, the latter I've come to love as I've embarked on my home automation journey. So, it was with great pleasure that I saw the two integrated recently: always something. | Continue reading
I've investigated hundreds of data breaches over the years (there are 514 of them in Have I Been Pwned as I write this), and for the most part, the situation with Gab is just another day on the internet. But Gab is also different, having grown dramatically in recent months | Continue reading
For about the last decade, a huge proportion of my interactions with people has been remote and across different cultures and time zones. Initially this was in my previous life at Pfizer due to the regional nature of my role and over the last six years, it's been as an | Continue reading
The first few parts of this series have all been somewhat technical in nature; part 1 was how much of a mess the IoT ecosystem is and how Home Assistant aims to unify it all, part 2 got into the networking layer with both Wi-Fi and Zigbee and in part | Continue reading
In part 1 of this series, I posited that the IoT landscape is an absolute mess but Home Assistant (HA) does an admirable job of tying it all together. In part 2, I covered IP addresses and the importance of a decent network to run all this stuff on, followed | Continue reading
In part 1, I deliberately kept everything really high level because frankly, I didn't want to scare people off. I'm not ashamed to say that the process of getting even the basics working absolutely did my head in as I waded through a sea of unfamiliar technologies, protocols and … | Continue reading
With the benefit of hindsight, this was a naïve question: Alright clever IoT folks, I've got two of these garage door openers, what do you reckon the best way of connecting them with Apple HomeKit is? https://t.co/i0RmjSMkkD — Troy Hunt (@troyhunt) April 25, 2020 In | Continue reading
It's increasingly hard to know what to do with data like that from Cit0Day. If that's an unfamiliar name to you, start with Catalin Cimpanu's story on the demise of the service followed by the subsequent leaking of the data. The hard bit for me is figuring out whether it's | Continue reading
I've had this blog post in draft for quite some time now, adding little bits to it as the opportunity presented itself. In a essence, it boils down to this: people expressing their displeasure when I post about a topic they're not interested in then deciding to have a whinge | Continue reading
Been a lot of "victim blaming" going on these last few days. The victim, through no fault of their own, has been the target of numerous angry tweets designed to ridicule their role in internet security and suggest they are incapable of performing their duty. Here's where it all s … | Continue reading
Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr is "The World's Largest Social Networking App for Gay, Bi, Trans, a … | Continue reading
Edit 1: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Edit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2. Last week I wrote about Passwords … | Continue reading
I want a "secure by default" internet with all the things encrypted all the time such that people can move freely between networks without ever needing to care about who manages them or what they're doing with them. I'm a massive proponent of Let's Encrypt's and Cloudflare's miss … | Continue reading
You've possibly just found out you're in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn't the whole point of encryption that it protects data when … | Continue reading
Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they alread … | Continue reading
I love security. I love privacy. Consequently, it will come as no surprise that I love tools that help people achieve those objectives. Equally, I have no patience for false promises, and I've been very vocal about my feelings there: But one of them is literally called “Secure VP … | Continue reading
Let me just cut straight to it: I'm going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the | Continue reading
I was searching around for a quote a long the lines of you only being as good as the tools you use and somehow, I ended up down this rabbit hole of painters quotes and carpenters quotes and stuff about artists and their brushes. Then I started thinking it sounds | Continue reading
I love beer. This comes as no surprise to regular followers, nor should it come as a surprise that I maintain an Untappd account, logging my beer experiences as I (used to 😢) travel around the world partaking in local beverages. When I received an email from someone over … | Continue reading
Nearly 7 years ago now, I started a little pet project to index data breaches and make them searchable. I called it "Have I Been Pwned" and I loaded in 154M breached records which to my mind, was rather sizeable. Time went by, the breaches continued and the numbers rose. | Continue reading
I started writing this blog post alone in a hotel room in Budapest last September. It was at the absolute zenith of stress; a time when I had never been under as much pressure as I was right at that moment. Project Svalbard (the sale of HIBP which ultimately turned | Continue reading
Today, almost one year after the release of version 5, I'm happy to release the 6th version of Pwned Passwords. The data set has increased from 555,278,657 known compromised passwords to a grand total of 572,611,621, up 17,332,964 (just over 3%). As with previous | Continue reading
Pwned again. Damn. That's me who's pwned again because my personal data has just turned up in yet another incident from a source I can't attribute. Less than 3 weeks ago I wrote about The Unattributable "db8151dd" Data Breach which, after posting that blog post and a sample of my | Continue reading
The situation in Minneapolis at the moment (and many other places in the US) following George Floyd's death is, I think it's fair to say, extremely volatile. I wouldn't even know where to begin commentary on that, but what I do have a voice on is data breaches which prompted | Continue reading
I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know: | Continue reading
I was reticent to write this blog post because it leaves a lot of questions unanswered, questions that we should be able to answer. It's about a data breach with almost 90GB of personal information in it across tens of millions of records - including mine. Here's what I know: | Continue reading
Hey, did you hear that Facebook are going to start using your personal photos in whatever way they see fit? For real, it's going to start tomorrow unless you act quickly! All you have to do is copy and paste this message onto your own Facebook page and wammo - | Continue reading
If you're reading this, chances are you've arrived here from a link I sent you via email. That email would have been a reply to one you originally sent to me that would have sounded something like this: Hi, I came across your blog on [thing] and I must admit, | Continue reading
Over the last 2 years I've been gradually welcoming various governments from around the world onto Have I Been Pwned (HIBP) so that they can have full and unfettered access to the list of email addresses on their domains impacted by data breaches. Today, I'm very happy to announc … | Continue reading
Subject: Data Breach of [your service] Hi, my name is Troy Hunt and I run the ethical data breach notification service known as Have I Been Pwned: https://haveibeenpwned.com People regularly send me data from compromised systems which are being traded amongst individuals who coll … | Continue reading
I hate dodgy WiFi, hate it with a passion. I finally lost my mind with it a few years ago now so I went and shelled out good money on the full suite of good Ubiquiti gear. I bought a security gateway to do DHCP, a couple of switches for | Continue reading
Since launching version 2 of Pwned Passwords with the k-anonymity model just over 2 years ago now, the thing has really gone nuts (read that blog post for background otherwise nothing from here on will make much sense). All sorts of organisations are employing the service to keep … | Continue reading
This is going to be a lengthy blog post so let me use this opening paragraph as a summary of where Project Svalbard is at: Have I Been Pwned is no longer being sold and I will continue running it independently. After 11 months of a very intensive process culminating | Continue reading
Back in 2016, I wrote a blog post about the Martin Lewis Money show featuring HIBP and how it drove an unprecedented spike of traffic to the service, ultimately knocking it offline for a brief period of time. They'd given me a heads up as apparently, that's what the program | Continue reading
Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains: When process … | Continue reading
Today is Safer Internet Day which marks the annual occurrence of parents thinking about their kids' online presence (before we go back to thinking very little about it tomorrow!) It's also the day the Courier-Mail here in my home state of Queensland published a piece on sharentin … | Continue reading
I've had this blog post in one form or another of draft for several years now. I hesitated to complete it, in part because at the best of times cultural observations can easily be misinterpreted and also in part because of the role I had in working with many outsourcing | Continue reading
This is a blog post about disclosure, specifically the difficulty with doing it in a responsible fashion as the reporter whilst also ensuring the impacted organisation behaves responsibly themselves. It's not a discussion we should be having in 2020, a time of unprecedented regul … | Continue reading