I've known about the Have I Been Pwned Website for a couple of years, and I decided to check it out to see if it was legitimate. The site was created to alert Web users if their online identities have been compromised in cyber-attacks and data breaches.
So I entered in my email addresses and asked to be notified if the site ever came across any evidence that my information had been stolen.
I immediately heard that I'd been caught in the vast Adobe breach of a few years ago, but I already knew about that and had changed my password. I mentioned the site in my published articles a couple of times afterward, but mostly didn't think about it.
Then I got a disturbing email. The email alert system from the Website sent me a notice that my user name and password had been compromised in the even more vast LinkedIn breach of four years ago. While I knew about that breach as well, I hadn't given it a lot of thought because LinkedIn had told users that they would notify anyone who had been included in the breach, and I hadn't been notified.
Just the same, I changed my LinkedIn password. I changed it once after I heard about the breach, and then I changed it again later because I'd decided that the new password was too easy to guess. Then I didn't think about it again until it was time for my regular password changes.
But then I got the latest alert from Have I Been Pwned. I asked myself whether I was sure that there was no vestige of my old password around anywhere, so I got to changing passwords again. But I began wondering about the person who ran this site and why he seemed to be able to ferret out this information that normally resides on what the television shows like to call the "Dark Web."
I went back to the Website and looked up the details on the person who operates it, Troy Hunt, and learned more about him. Hunt, it seems, is the real deal. He's a Microsoft regional director and MVP, and he speaks all over the world on security. He also runs a company that creates educational software.
Intrigued, I emailed Hunt and asked if we could talk. The next afternoon. I contacted Hunt via Skype, and found myself talking to him as he sipped his morning coffee, framed against the tan stucco of his house and the crystal blue sky of the Australian morning. I immediately envied him as I reflected on the 25 days of continuous cold drizzle that had inflicted the Washington, D.C., region.
I asked him where all of this started. The Adobe breach was the beginning. "This started around October 2013," Hunt said. "Back then I'd been analyzing data breaches. One of the things that struck me was when you had the same person appearing in multiple data breaches. It built this rich profile. Most of the time they didn't even know."
Hunt said that he thought it would be helpful if he could somehow tell those people what he found, and so he set up his Website so that people could indicate an interest in being alerted. Hunt said that it started to get traction almost immediately because this was the beginning of the really big data breaches and people were worried.