Have I Been Pwned to go open source – 10bn credentials, not so much, says creator Hunt

Heavy burden for one valiant man to carry, and it needs sharing

12 Reg comments Got Tips?

Credential breach website Have I Been Pwned (HIBP) will be going open source, site creator and maintainer Troy Hunt has told the world.

The site, at the time of writing, hosts details of roughly 10 billion hacked accounts from 473 separate websites. You input your email address and HIBP tells you whether or not the address features in its database of credentials known to have been stolen by hackers from sites.

In a blog post Hunt explained his thinking, referring to an aborted potential sale of the site earlier this year.

“I've been giving a great deal of thought to how I want this project to evolve lately, especially in the wake of the M&A process that ended earlier this year right back where I'd started: with me being solely responsible for everything,” he wrote.

“The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn't changed; the project cannot be solely dependent on me.”

Not for sale: the Have I Been Pwned site will remain independent

Have I Been S0ld? No, trusted security website HIBP off the table, will remain independent

READ MORE

In brief, if Hunt was hit by a bus tomorrow HIBP would “wither and die” he said. With so many people relying on it for breach notifications, he realised that there was only one thing to do.

“The philosophy of HIBP has always been to support the community, now I want the community to help support HIBP,” he continued. “Open sourcing the code base is the most obvious way to do this. It takes the nuts and bolts of HIBP and puts them in the hands of people who can help sustain the service regardless of what happens to me.”

Hunt is completely open about who he is and how he operates HIBP, which means the entire basis of the site’s successful operation rests on trusting him and anyone he grants access to the site’s backend to. Previously he had explored selling HIBP, though he halted the process after a “change in business model” meant he was no longer confident that a sale of the site would be the right thing to do for the wider community.

However, the weight of responsibility has sat heavily on the man’s shoulders: Hunt previously shared that maintaining the site solo had brought him “very close to burn-out” and he has repeatedly looked for ways to spread the burden. Open-sourcing the code that powers the site appears to be the most publicly transparent way to do that without flogging 10 billion login credentials to some corporate overlord.

The open-sourcing won’t be immediate; in his blog post Hunt said some trusted confidantes have access to the source code for now to clean it up and help prepare the site to go full public, rather than just chucking it onto Github or similar. As he put it, these are “above all, people I trust to expose my own shortcomings so that they can help me make this thing more sustainable.”

As for the data itself, Hunt expressed the intention to ensure that strong privacy controls are still applied even as the framework of HIBP’s code is made “more transparent.” “There are literally billions of people that have been impacted by data breaches,” he said. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020