The Rise of ‘Have I Been Pwned?’, an Invaluable Resource in the Hacking Age
From Ashley Madison to everyday breaches, Troy Hunt's site tries to keep victims in the loop.
Troy Hunt, who runs Have I Been Pwned? Photo courtesy Troy Hunt
Troy Hunt has a database of 292,434,781 stolen user accounts.
The staggering amount of hacked data includes information sourced from 91 different websites that were compromised by hackers, including Adobe (152,445,165 accounts), Snapchat (4,609,615 accounts), and YouPorn (1,327,567 accounts).
But, as you may already know, Hunt doesn't distribute or sell this data. Instead, it's the backbone of Have I Been Pwned (HIBP), a website dedicated to informing victims of data breaches. ("Pwned," in case you're not familiar, is a slang term for being hacked, or otherwise having your digital security compromised.)
The idea is simple enough: enter your email into HIPB, verify that you control it, and then the site will let search through its hundreds of millions of records, and return results of any breaches you've been swept up in. Potential victims will also be notified if their email address appears in any future dumps that Hunt obtains.
Although many of the original data breaches include even more sensitive information like credit card information and passwords, Hunt only saves the user names and email addresses, so that people can find out whether they've been affected in a data breach.
Around 10,000 people visit HIBP every day, and 350,000 people have subscribed to getting an email notification if their information appears in a new breach.
Hunt started the site back in late 2013. At the time, Hunt, an Australian web security expert, was analyzing trends in data breaches, such as the common reuse of passwords across different dumps. He got the idea after noticing how many massive data breaches affect large numbers of people—people who may have had no idea they'd been compromised.
"Probably the main catalyst was Adobe," Hunt said. In October 2013, 153 million Adobe accounts, including email addresses, usernames, hashed passwords and plain text password hints were breached. But naturally, Adobe wasn't the only large dump circulating around that time: breaches from Gawker, Yahoo, and Sony were all being traded too.
These people might not necessarily have any malicious interest in the data itself, but simply collect, swap and archive data sets
"I started to wonder how many people are actually aware of jut how broad this web is spreading, and how many places their data is now exposed," Hunt said. With that, he starting putting together the pieces for HIBP, and wrote the first version in the middle of a flight.
Data breaches are incredibly common today. If someone is victimized, they are at risk of hackers logging into accounts, the theft of financial information, and more besides. And often, companies don't notify their customers of a breach until long after it's happened, leaving them even more vulnerable to attacks. If a victim is aware of the breach as soon as it happens, they can at least reset their credentials or be more vigilant to protect themselves.
"I want the people to be aware that they probably need to change their password, and they need to look out for unusual credit inquires," Hunt said.
How Hunt gets that data varies from case to case. Sometimes, a public-facing individual who has come across the dump will send it Hunt's way; other times, someone involved in the illegal trading of stolen data will forward a copy.
"There is a massive trade in stolen data," Hunt said, liking it to the collection of baseball cards. These people might not necessarily have any malicious interest in the data itself, but simply collect, swap and archive data sets.
"Sometimes it takes four, five years before data either comes my way, or just begins to be broadly circulated," Hunt said.
But sometimes the hackers who carried out the breach will contact Hunt directly and provide newly obtained data.
"Frankly, it pisses me off when I hear from these guys," said Hunt, who wants to ask the hackers, "What is wrong with you?"
"Running this service exposes me to the shadier side of the web, and consequentially some shady people," he said.
On the face of it, a hacker obtaining a dump, and then sending it to Hunt who plans to allow people to check its contents for free is pretty counterintuitive. But hackers are pulled by all sorts of different motivations, be those for ideology or fame as well as cash.
"It's exposure, it's kudos, it's credibility," Hunt added.
The site includes breaches from Forbes, Comcast, and Patreon, and even more personal services, such as AdultFriendFinder, YouPorn, and extra-marital affairs site Ashley Madison.
The publication of gigabytes of user data from Ashley Madison stood out to Hunt as particularly damaging. "I don't think we've seen another breach where people have killed themselves as a result of it," he said. The records of some 30 million user accounts were dumped online in 2015.
Another stand-out breach for Hunt was VTech, the Hong Kong toy company, which not only contained account information, but photos of children too.
"I haven't seen [another] data breach that impacted kids that way," Hunt added.
There have been data breaches that Hunt has decided not to host, however.
"Other times I've outright said no, or I've reported it to the companies," he said.
One of those was from a Dutch financial system that facilitated transactions between banks. Hunt received the data, got in touch with the affected company, and suggested they inform their customers.
One reason for this was because of possible legal ramifications.
"I want to be able to keep this service running, and I don't want to step on the wrong side of an organization, such that one of them gets a bee in their bonnet, and then takes legal action," Hunt said. In a case like that, he wouldn't want the company first learning of the serious breach via a public posting on HIBP.
To date, Hunt hasn't faced any legal action because of his site, but law enforcement have asked him for more information about what exactly was contained in a specific breach.
"I've had queries from FBI, Australian Federal Police, other law enforcement, legal professionals wanting to mount class actions: none of these, in any way [were] upset with what I'm doing with haveibeenpwned, but most of them [wanted] to understand more about the data," he continued.
As for what he has learned from years of collating breaches, Hunt says it's the free or cheap sites in particular that have exhibited really rubbish security over the years.
"There can be no way that those who manage the software development in these organizations, are not aware," of the myriad of breaches that are going on, everyday, all around the web, Hunt said.
"Tomorrow it will be someone else, in exactly the same boat. It just frustrates me enormously."