How Troy Hunt Is Alerting Web Users Ensnared in Huge Data Breaches
"It started as a hobby," Hunt said. "I didn't expect it to become so successful. The thing about the service is that it responds to events." Those events in many cases were fairly small breaches, but the traffic on his Website reached past 100,000 a day very quickly. Then came the Ashley Madison data breach. The Website called Ashley Madison is a Canadian operation designed to connect married people with others who want an illicit affair. When the Ashley Madison breach became public, it made world news. It also drove the haveibeenpwned.com traffic through the roof. Instantly, Hunt was seeing numbers above a million a day. Despite the titillation factor of the Ashley Madison breach, the LinkedIn breach was far worse, and for Hunt, it was a lot more work. "We have a breach that's five times Ashley Madison," he explained. "I have this notification feature where people can subscribe for free and I'll send them an email. It's not easy sending 180,000 emails in a single go." Hunt said that he has a dedicated email service that he uses for breach alerts."I had to invest a lot of time," Hunt said. "One of the reasons I built this [is] I wanted to use Microsoft's Azure cloud platform. This has allowed me to style and grow. I had a 57,000 percent increase with Ashley Madison. Everything this service does is use one form of cloud-based service or another." Unfortunately, Hunt doesn't expect that there will be a way to fix the fundamental problem behind those data breaches any time soon. "We're getting into a very competitive market where people are rushing things to market, and people expect things for free." He said that, as a result, the security of the data behind many online systems is at best an afterthought. Worse, he said that people don't understand the technology they're using and they have no understanding of the security risks they're exposed to as a result. "This is a hard problem because it comes back to the people building the software," Hunt said. "We have so many developers, particularly those coming through emerging markets where they churn them quickly just to get them developing code." The result is that many of those developers may not even know anything about secure coding. So what's next for Hunt and his project? Right now, it's unclear. Hunt depends on donations to help support the significant costs of running his Website. For now they're covering the costs. In addition, he's happy to take donations even in the form of beer and as movie tickets for his kids. But he's worried about the future. "I think it will continue to evolve," he said. "At some point, it may mean it's too risky to run or too legally dubious." And if that happens, the industry will be without what is one of the best public services available on the Net.
And where does he find that information? It turns out that people send Hunt the databases of stolen information, mostly on their own. He said he's received the data from white hat hackers who found it and from black hat hackers who sent it for their own reasons, and lately it's started coming from the companies that were breached.