How Have I Been Pwned became the keeper of the internets biggest data breaches

When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?
Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised or pwned with a hard p by the hundreds of data breaches in its database, including some of the largest breaches in history. As its grown, now sitting just below the 10 billion breached-records mark, the answer to Hunts original question is more clear.
Empirically, its very likely, Hunt told me from his home on Australias Gold Coast. For those of us that have been on the internet for a while its almost a certainty.
What started out as Hunts pet project to learn the basics of Microsofts cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals curiosity.
As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the sites running costs.
But Have I Been Pwneds success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.
As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.
Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.

Mother of all breaches

Even long before Have I Been Pwned, Hunt was no stranger to data breaches.
By 2011, he had cultivated a reputation for collecting and dissecting small for the time data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a users other online accounts.
Then came the Adobe breach, the mother of all breaches as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.
Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a persons email address, which Hunt saw as the most common denominator across all the sets of breached data.
And Have I Been Pwned was born.
It didnt take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internets history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.
As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.
Hunt takes a what do I think makes sense approach to handling other peoples breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.
His decision to only let users search for their email address makes logical sense, driven by the sites only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.
In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.
How Have I Been Pwned became the keeper of the internets biggest data breaches
The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved peoples sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«     2020    »