The popular security website Have I Been Pwned (HIBP) will remain independent – despite owner Troy Hunt's decision last year to put the business up for sale.
Hunt's site is a database of usernames or email addresses that have been exposed in data breaches. At the time of writing, it contains 9,543,096,417 records, which happens to be more than the population of Earth, showing the extent of such breaches.
Users can discover which breaches have included their username, and also check passwords against a list of passwords that have been leaked. Bad guys also have these lists so checking credentials against the service significantly improves security.
In his June 2019 post, Hunt stated that thanks to the huge attention the site receives he was "getting very close to burn-out" and would look for a new owner, though he still intended to remain part of the service. He also wanted to expand its scope, publishing more breaches, reaching a larger audience and working at the tough problem of "changing the behaviour of how people manage their online accounts". He engaged the Mergers and Acquisitions department of KPMG to manage the process.
Things have not worked out as planned. It was not for lack of interest from acquirers. Hunt said in a lengthy post: "We spoke to 141 companies from around the globe." That was reduced to 43, in part because Hunt "culled companies that I didn't believe should have responsibility for the sort of data HIBP has, that wouldn't shepherd the service in the direction I believed it should go, or were simply companies that I didn't want to work for."
Hunt also began to have doubts about the wisdom of the sale after receiving appreciative comments about the site from numerous people who identified trust in him personally as one of the key factors. "I remember one discussion in particular where the guy was talking so sincerely about his appreciation and I just started thinking 'what am I doing – can I really sell this thing?'"
The potential acquirers were also aware of this and included "golden handcuffs" in their offers. "They wanted me locked in for years and if I changed my mind partway through, I'd pay for it big time," he said.
A likely acquirer was chosen and the project moved to the due diligence phase, an onerous process of examining every detail of the business. This went on for some months, and then something happened. Hunt does not reveal exactly what, but said: "The circumstances that took the bidder out of the running was firstly, entirely unforeseen by the KPMG folks and myself and secondly, in no way related to the HIBP acquisition. It was a change in business model that not only made the deal infeasible from their perspective, but also from mine; some of the most important criteria for the possible suitor were simply no longer there."
Hunt decided that rather than go through the process again he would abandon it, especially as none of the other potential acquirers were as suitable as the one who dropped out. "Have I Been Pwned is no longer being sold and I will continue running it independently," he said.
Project Svalbard was the initiative to find a new home for @haveibeenpwned. After 11 months, the project has now run its course; HIBP will remain independent. Here's the full story: https://t.co/euM50h21Ge— Troy Hunt (@troyhunt) March 2, 2020
This does leave him with the same problem that inspired the acquisition project in the first place: that it is too much for one person. "I'll be considering the best way to start delegating workload," he said. He remains determined to improve the way industry handles "the flood of data breaches we're seeing".
The outcome for the rest of us is that for the time being HIBP continues as before, though now with firm evidence that for its owner and operator, it is more than just a business. HIBP is highly valued so the fact that it remains as-is will be welcomed, though with the caution that (as Hunt correctly identified) the service can only be sustainable long term if more people are involved in its management and operation. ®