Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Have I Been S0ld? Troy Hunt's security website is up for acquisition

'Time to grow up,' says geek behind breach database

Troy Hunt, inventor and operator of the popular security website Have I Been Pwned (HIBP), is putting the service up for sale.

Hunt, a Microsoft Regional Director and MVP for security, created the site in 2013 after Adobe leaked 153 million usernames and weakly encrypted passwords. Users can enter an email address and discover if it is included in the exposed data. You can also enter a password to see if it features in a data breach.

The site was soon extended with data from other breaches and now contains nearly 8 billion records. HIBP publishes an API which gets over 12 million hits a day, most of them checking whether a password is safe to use. Mozilla's Firefox is one of a number of products that integrates with the API to help users choose strong passwords. Commercial subscribers, governments and law enforcement agencies use the service too.

Hunt said in today's announcement that "to date, every line of code, every configuration and every breached record has been handled by me alone. There is no 'HIBP team', there's one guy keeping the whole thing afloat."

Common passwords have been leaked, this one over 1 million times

Common passwords have been leaked, this one over 1 million times

He said that maintaining the site has been stressful and has taken him close to burnout. He believes it is time to put the business up for acquisition, which he is doing with KPMG.

The acquisition project is called Project Svalbard, in tribute to a Norwegian effort to store a vault of seeds to protect against future loss. "It sounds like a befitting name, beginning with the obvious analogy of storing a massive quantity of 'units'," Hunt said.

The question everyone will be asking: will the service get worse? Hunt said he will remain part of HIBP and that consumer searches will still be free. The idea is that a bigger organisation will enable him to build out more capabilities.

He also wants to put more effort into changing the behaviour of both individuals and organisations, in respect of their poor security practices.

Hunt has fallen behind, he said, on responsible disclosure – informing organisations that they have been breached. This he called "massively burdensome".

When will it happen? No hurry, said Hunt. "I'm not under any duress (not beyond the high workload, that is) and I've got time to let the acquisition search play out organically and allow it to find the best possible match for the project."

But he does not want to lead a new nonprofit even with sponsorship from other companies, believing that this would increase rather than reduce the stress he is under.

The site performs an excellent, though dispiriting, service. Those of us who have had active email accounts for many years are likely to feature multiple times in the HIBP database. Your correspondent's, for example, is in 20 data breaches including Adobe, Bit.ly, Creative, Disqus, Dropbox, Kickstarter, Last.fm, MySpace and vBulletin, as reported by HIBP.

Sane security today means unique passwords for every site and a password manager, along with other strategies like multi-factor authentication, but take-up is weak as data from services like Microsoft's Office 365 demonstrates.®

Similar topics

TIP US OFF

Send us news


Other stories you might like