I’ve known about the Have I Been Pwned Website for a couple of years, and I decided to check it out to see if it was legitimate. The site was created to alert Web users if their online identities have been compromised in cyber-attacks and data breaches.
So I entered in my email addresses and asked to be notified if the site ever came across any evidence that my information had been stolen.
I immediately heard that I’d been caught in the vast Adobe breach of a few years ago, but I already knew about that and had changed my password. I mentioned the site in my published articles a couple of times afterward, but mostly didn’t think about it.
Then I got a disturbing email. The email alert system from the Website sent me a notice that my user name and password had been compromised in the even more vast LinkedIn breach of four years ago. While I knew about that breach as well, I hadn’t given it a lot of thought because LinkedIn had told users that they would notify anyone who had been included in the breach, and I hadn’t been notified.
Just the same, I changed my LinkedIn password. I changed it once after I heard about the breach, and then I changed it again later because I’d decided that the new password was too easy to guess. Then I didn’t think about it again until it was time for my regular password changes.
But then I got the latest alert from Have I Been Pwned. I asked myself whether I was sure that there was no vestige of my old password around anywhere, so I got to changing passwords again. But I began wondering about the person who ran this site and why he seemed to be able to ferret out this information that normally resides on what the television shows like to call the “Dark Web.”
I went back to the Website and looked up the details on the person who operates it, Troy Hunt, and learned more about him. Hunt, it seems, is the real deal. He’s a Microsoft regional director and MVP, and he speaks all over the world on security. He also runs a company that creates educational software.
Intrigued, I emailed Hunt and asked if we could talk. The next afternoon. I contacted Hunt via Skype, and found myself talking to him as he sipped his morning coffee, framed against the tan stucco of his house and the crystal blue sky of the Australian morning. I immediately envied him as I reflected on the 25 days of continuous cold drizzle that had inflicted the Washington, D.C., region.
I asked him where all of this started. The Adobe breach was the beginning. “This started around October 2013,” Hunt said. “Back then I’d been analyzing data breaches. One of the things that struck me was when you had the same person appearing in multiple data breaches. It built this rich profile. Most of the time they didn’t even know.”
Hunt said that he thought it would be helpful if he could somehow tell those people what he found, and so he set up his Website so that people could indicate an interest in being alerted. Hunt said that it started to get traction almost immediately because this was the beginning of the really big data breaches and people were worried.
How Troy Hunt Is Alerting Web Users Ensnared in Huge Data Breaches
“It started as a hobby,” Hunt said. “I didn’t expect it to become so successful. The thing about the service is that it responds to events.” Those events in many cases were fairly small breaches, but the traffic on his Website reached past 100,000 a day very quickly.
Then came the Ashley Madison data breach.
The Website called Ashley Madison is a Canadian operation designed to connect married people with others who want an illicit affair. When the Ashley Madison breach became public, it made world news. It also drove the haveibeenpwned.com traffic through the roof. Instantly, Hunt was seeing numbers above a million a day.
Despite the titillation factor of the Ashley Madison breach, the LinkedIn breach was far worse, and for Hunt, it was a lot more work. “We have a breach that’s five times Ashley Madison,” he explained. “I have this notification feature where people can subscribe for free and I’ll send them an email. It’s not easy sending 180,000 emails in a single go.” Hunt said that he has a dedicated email service that he uses for breach alerts.
And where does he find that information? It turns out that people send Hunt the databases of stolen information, mostly on their own. He said he’s received the data from white hat hackers who found it and from black hat hackers who sent it for their own reasons, and lately it’s started coming from the companies that were breached.
“I had to invest a lot of time,” Hunt said. “One of the reasons I built this [is] I wanted to use Microsoft’s Azure cloud platform. This has allowed me to style and grow. I had a 57,000 percent increase with Ashley Madison. Everything this service does is use one form of cloud-based service or another.”
Unfortunately, Hunt doesn’t expect that there will be a way to fix the fundamental problem behind those data breaches any time soon.
“We’re getting into a very competitive market where people are rushing things to market, and people expect things for free.” He said that, as a result, the security of the data behind many online systems is at best an afterthought. Worse, he said that people don’t understand the technology they’re using and they have no understanding of the security risks they’re exposed to as a result.
“This is a hard problem because it comes back to the people building the software,” Hunt said. “We have so many developers, particularly those coming through emerging markets where they churn them quickly just to get them developing code.” The result is that many of those developers may not even know anything about secure coding.
So what’s next for Hunt and his project? Right now, it’s unclear. Hunt depends on donations to help support the significant costs of running his Website. For now they’re covering the costs. In addition, he’s happy to take donations even in the form of beer and as movie tickets for his kids. But he’s worried about the future.
“I think it will continue to evolve,” he said. “At some point, it may mean it’s too risky to run or too legally dubious.” And if that happens, the industry will be without what is one of the best public services available on the Net.