
Project Svalbard, Have I Been Pwned and its ongoing independence - MattConfluence
https://www.troyhunt.com/project-svalbard-have-i-been-pwned-and-its-ongoing-independence/
======
mike_d
I appreciate what HIBP does, but I believe it serves Troy's personal brand
more than it would any corporate owner. The biggest issue is the data is super
stale. Things regularly pop up in SpyCloud 6-12 months before HIBP, and as a
result they are a much more attractive acquisition target.

There is also an unreasonable dependency on CloudFlare kool-aid for HIBP and
his other services. I reached out to Troy about sponsoring Report-URI because
it was a service I believed benefitted the internet. In response I received a
snarky response about how I didn't understand how web-scale CloudFlare was,
when I was effectively offering to cover all the companies infrastructure
costs for the foreseeable future (multiple dozens of servers and XX Gbps of
bandwidth).

~~~
tomschlick
> There is also an unreasonable dependency on CloudFlare kool-aid for HIBP and
> his other services.

How it is unreasonable? Do you criticize the hosting platform / cdn of every
service you use?

CF has been a huge help to Troy with optimizing caching and helping him with
the k-anonymity setup to make the scale of HIBP possible with less
infrastructure. Their network is top notch (sub 10ms for most population
centers) and they are trying to give back to the broader community by donating
the bandwidth and cache to greater good projects like this.

~~~
lmm
If your whole raison d'etre is to be a trusted source on privacy and security
matters, then putting yourself in a position where you can't speak objectively
about the organisation that controls 10% of the internet's traffic is
massively compromising that. I'm sure Hunt will do his best, but how could
anyone possibly make a fair judgement of something controversial like
"Flexible SSL" when his livelihood is dependent on them?

~~~
jgrahamc
I am sure that literally any one of our competitors would give Troy their
service for free. He's free to leave whenever he wants. And he's 100% free to
criticize us while remaining a customer.

~~~
smoyer
I love that you're here ... and as transparent as possible. Thanks for the
work you do in keeping the Internet running (and as far as possible - "safe".

~~~
jgrahamc
Well, I've been here close to 13 years
([https://news.ycombinator.com/user?id=jgrahamc](https://news.ycombinator.com/user?id=jgrahamc)).
Seems a shame to leave now.

------
airstrike
Sorry, but the more I read this, the more I feel like KPMG is the main reason
for the failed process...

> And so in September, we granted exclusivity to a bidder. (...) And so began
> the extensive due diligence. KPMG had warned me about this phase right at
> the beginning of the process and from memory, the word they used was
> something akin to "onerous".

You're supposed to have your ducks in a row _before_ you launch the process,
not after. As you're drafting your IM, you should also be preparing a virtual
data room with as much data as you reasonably expect to be asked, and board
minutes are the absolute minimum that any advisor should know...

> Among literally thousands of other requests (seriously - the total number
> was four figures)

And you don't have to respond to all of them! You can answer any request with
"The company believes this can be answered as a matter of confirmatory
diligence"

From literally dummies.com[0]

"Sellers can’t be afraid to remind Buyers that due diligence is confirmatory
in nature, meaning Buyer should spend the time confirming Seller’s information
and not planning, creating, and combining the two entities. The Buyer should
take care of post-closing activities after closing! Otherwise, due diligence
will drag on longer than necessary."

[0] [https://www.dummies.com/business/corporate-
finance/mergers-a...](https://www.dummies.com/business/corporate-
finance/mergers-and-acquisitions/how-to-time-the-due-diligence-phase-in-an-ma-
deal/)

~~~
alexpetralia
I also distinct got the sense that KPMG bungled this process. They seemed to
bafflingly parlay Troy's position of strength into a position of weakness. Of
course, all they really cared about was the bill at the end!

~~~
mrkurt
If your company is getting shopped to 43+ other companies, it's not a very
strong position. This seems like KPMG responding to their incentives: sell the
company and make like $250k, or don't sell the company and make "the biggest
bill I've ever paid in my life".

------
snowwrestler
I don’t think he actually wanted to sell HIBP. He was way more focused on
providing detailed constraints for the future of how it should be run, than in
listing its assets and how those might benefit the future owner.

I think what Troy actually wanted was resources and support and management for
his vision of the future HIBP. That’s not usuallY what a sale is, and it
sounds like he paid a lot to learn that lesson.

It seems to me like Troy treats HIBP as a mission, not a business, and in the
US at least, a nonprofit would be an option to organize financial resources
around a mission. As a private company, he could seek investment from like-
minded folks with deep pockets, but that would likely come with external
pressure to show a profit.

------
irjustin
Thanks to Troy for HIBP and the story here.

It may be because he cannot speak towards the specifics of the deal, but I
truly hope there was a breakup clause.

For those un-aware, M&A deals eventually go exclusive which, as this post
points out, is very very time consuming, which means expensive. Those who are
involved in the deal itself, very little work gets done that runs the
business.

So to protect against the downside for the company getting purchased, a break
up clause to give them cash if the purchasing company does not follow through.

Only companies with in great negotiating positions can command these things,
but sounds like Troy was in a great position when looking at the initial 43
buyers.

~~~
tptacek
Does anyone here have a story about a startup operating at Troy Hunt's (tiny)
scale actually getting a breakup fee? I've been through a couple acquisitions
now and I've never even heard of someone getting a credible binding breakup
clause.

~~~
dd36
I negotiated the acquirer paying all legal fees and for our time. We were
tiny. It worked out. Like others said, spent a lot of time drafting
superfluous policy docs in response to requests for copies...

------
LennyWhiteJr
Damn that sounds like an incredibly exhausting experience, and all he got out
of it was... a hugely expensive bill.

All I can say is props to him to keeping his principles, I really hope he's be
able to grow HIBP into a sustainable gig for himself and a small core team.

~~~
westmeal
Seeing people hold onto their principles is pretty damn rare nowadays.

~~~
peterkelly
The world needs more people like Troy.

------
dustinmoris
This whole things seems extremely naive and almost like a different Troy
Hunt...

Why KPMG? Their competence is below average for an above average price hiding
behind a big corporate name. Why answer thousands of questions, the majority
could have just been a copy paste one liner. You're selling a side gig, not a
massive company. Also why selling it in the first place and then not wanting
to give up control by limiting how the buyer can/wants to do with HIBP? If he
didn't want to give away control then don't sell, find investment, find
sponsors, find a business model which pays the bills and allows you to hire
staff so you can scale it yourself. Decide what you want first :)

EDIT:

I _think_ the increasing exposure and interest in HIBP has made Troy fantasize
about a potentially nice cheque which a buyer could write him which could put
him into early retirement, but then he realised two things along the process
which made him change his mind on selling:

\- HIBP is not really worth the amount that could retire a family (interest <>
value, website hits <> value, etc.)

\- The fan messages gave him a bad concience

In the end the whole thing was not worth it.

~~~
mikorym
I don't think the fact that KPMG ran it is necessarily the key thing here.

I have a perennial objection to the "Silicon Valley Way" where you try to
build a scalable product or service and immediately look for funding (and
later a buyer).

Normal companies just start. And try to be profitable quickly. I think this is
probably the issue as well that Troy eventually found there. I think he should
really be thinking: "What is my service and what is my product, and what is
the 80-20 of where my product is worth the most."

And I don't mean dumb things like ads. I think he should be doing custom
services for big companies that care about security.

~~~
mikorym
To give an example, he probably can help a lot of big companies just with
their authentication policies. Accountants are ignorant about these things and
maybe he could for example be asked about when to use a password and when to
use some kind of token, how to setup access to EC2 or Azure virtual machines
and things like that.

I know these in principle should be simple. But the man is a rock star and
should be able to cut through a lot of the bureaucratic BS.

------
airstrike
> Apparently, the way these M&A processes run is that as you really get down
> to the wire with the final bidders, eventually someone will ask for
> exclusivity. This grants them a window of time in which they can do
> extensive due diligence to the exclusion of all other bidders.

This is not always the case, and it's certainly not a requirement to get a
deal across the finish line. More frequently, you'll select from the list of
buyers who provided credible non-binding offers – presumably those with good
strategic fit / rationale for the acquisition and that can provide certainty
that they have the funds available to do the deal (e.g. they have the pile of
cash and their board has already approved the acquisition.

Then you give that select list of final bidders more access to management,
including below C-suite (i.e. the opportunity to ask technical questions to
engineers and middle managers to really understand what makes the business
what it is) and set a deadline for final, binding offers, of which you will
choose that which creates the highest value to shareholders.

Exclusivity means betting all your money on one horse, and it can make sense
in some instances, but preferably conditional on someone making a huge offer
that you believe is bona fide and hopefully before you launch the broad
process (140+ buyers, in this case) i.e. they are trying to preempt the
process and are willing to pay up, and in return for sparing you the publicity
/ distraction / exhaustion from running the sale process, you grant them
exclusivity.

------
hahla
I'm surprised the author contacted KMPG to run M&A for a small independently
run website..? Not sure what I'm missing here.

~~~
airstrike
I'm surprised anyone would contact KPMG for M&A at all, in that they're
primarily an accountant / auditor, not an M&A shop.

~~~
JumpCrisscross
> _I 'm surprised anyone would contact KPMG for M&A at all, in that they're
> primarily an accountant_

They have other business lines. But they aren’t notable. If you’re a top M&A
banker, or even the best in a small niche, you’re at a bulge bracket or a
boutique. Not KPMG.

~~~
fphhotchips
I think it's worth noting that Troy may have wanted a firm with a global
presence given that he's based out of the Gold Coast. The firms with big M&A
reps in the USA don't necessarily have that same rep or presence down here,
particularly in Brisbane.

~~~
JumpCrisscross
> _Troy may have wanted a firm with a global presence_

Troy is a deliberate thinker. I'm not second-guessing his choice.

The top M&A bankers in Australia are routinely one of a Swiss bank, an
American bank and/or Macquarie [1]. The global banks are known as such because
they have uniquely global reach. They're also uniquely expensive.

For a small deal, a boutique with global reach would be the default choice.
They bring expertise with heavyweights who want a better work-life balance.
They bring cost effectiveness with a reduced footprint.

The only reason to go with KPMG is because you know someone there you trust.

[1] [https://www.afr.com/companies/financial-services/ubs-
macquar...](https://www.afr.com/companies/financial-services/ubs-macquarie-
top-dealmaking-league-tables-20190103-h19ob4)

------
lmeyerov
Thank you for sharing... 43 sounds super painful, and super tricky to safely
share!

For others here: part of "companies are bought, not sold" is not just price
difference, but whether the deal happens at all. Your startup needs to be
solving something critical for an executive , eg, cuts red tape on internal
politics, and enough so that they'll push the deal through because they need
it. Good signal is inbound, but not only, and part of your job is to help
figure that out or get that inbound.

The reverse is still possible, but now you both underprice and need to find a
firm that is efficient here. As part of my surprise in seeing gitlab internal
docs in the open.. they explicitly look for good but struggling product teams
to scoop up for basically annual bonus levels, and it sounds like they can do
that quickly... If that's what you want.

~~~
huebomont
"good signal is inbound" \- mhm yep definitely english

~~~
lmeyerov
Hah sorry super busy, sorry. Inbound interest is a good initial signal that
there's genuine interest on the other end. It's way better than reaching out.
Somewhere between inbound & outbound is maintained relationships you push on.

From having legit inbound interest, you still need to find an executive
champion on the acquirer's side who'll spend months pushing through the
lawyers, politics, etc, and ideally, has done it before. Not easy. They may
not be the person who reached out to you, but they are the one(s) you need to
identify, make the bet on, convince, and iterate with as issues arise. If
they're senior enough, they can make it Just Happen.

Maybe the perspective here is selling a business is the ultimate big & messy &
relationship-heavy enterprise sales process. The process described in the post
sounds like the numbers approach of SaaS (outbound reachouts to BD people -> a
few conversations -> sell), but not with the messy human parts of enterprise.
\-- For example, it's unusual to bring in someone like KPMG due to deal size
and risks around disintermediating the owner from the buyer during
relationship building. (Individual advisors here are more normal for slightly
bigger deals, and they'd have more skin in the game & involvement than a big
firm.) \-- As another, was DefCon time hanging out with the CEO or #2 of the
company and the champions?

Not easy! The advice I got here is 90-99% of these convs fail, so it's useful
to be wary & understand.

~~~
huebomont
I was commenting on the incredible level of jargon. This post is even more
impressive!

------
Ayesh
I think Troy is struggling to find his own place in this venture. I appreciate
his take on selling it to a good buyer, because a massive password list would
otherwise attract shady buyers.

You cannot sell something and keep it at the same time. That's not what
selling is. It's good to see governments taking interest at this, I'm happy
about paid plans. To keep HIBP under his original vision and for his to enjoy
his lifestyle, renting would be the ideal solution. Not selling.

------
tptacek
My confidence level on this is very low, because what do I know, but my
emotional commitment to this take, having been a small business operator (in
Hunt's field) for a couple decades now, is very high:

This makes me very sad. Not that the deal fell through, because of course it
did, but because of the process he undertook. Every part of it makes me sad.
Any correction or rebuttal I get to this will make me happier, so I hope I'm
wrong about a lot of it.

First, the adage that companies are bought, not sold, has in my experience and
the experience of my friends been pretty much true.†

Next, The most valuable thing about HIBP isn't the underlying work Hunt did
--- lots of companies have done equivalent work --- but HIBP's notoriety and
popularity.

Which to me means that every credible acquirer of HIBP already knew he was for
sale --- because _everybody_ is for sale --- and already fully capable of
reaching out to Hunt and offering him some kind of deal. The list of bizarre
stories I've heard about random projects that have received corpdev offers
like this is long.

Which to me suggests that putting a lot of work into a deck that explains HIBP
and what makes it valuable was not a good use of time. If you're explaining,
you're losing.

Then there's reaching out to your tax advisor to coordinate the sale. I have
only heard bad stories about retaining financial firms to shop companies. In
this case there's the added fact of the enormous incentive mismatch: Hunt is
engaging a financial firm to act as his agent with a bunch of their own
clients and client prospects, practically every one of which seems like it'd
be worth more to KPMG than the HIBP "sale" or any ongoing relationship with
Hunt himself.

Then there's what KPMG actually did, which was to arrange FORTY(!) pitches. To
each of which he disclosed traffic stats and revenue numbers!

Bringing us back to HIBP's value being its notoriety, in that: anyone you have
to explain HIBP to is probably not a qualified prospect. Also, just the idea
that there would be 40+ qualified prospects to begin with.

My feeling is that a pretty big chunk of YC companies get a whole stream of
invitations to corpdev meetings equivalent to the ones Hunt went through here.
And that a big part of YC's founder education is convincing founders _never to
go to these meetings_ , because they're so unlikely to have good outcomes, and
because the counterparties in those meetings are basically trained and
selected to efficiently screw founders over. Here, it seems like Hunt paid for
the privilege of experiencing this.

Then there's the deck itself; the one detailed slide of which we get to see is
an exquisitely detailed rationale for why Hunt's presence is vital for the
continued success of HIBP. "This is what the organisations bidding on HIBP
were buying: trust in me." That's a description of a job interview, not a
company sale. Elsewhere on this thread there's a comment saying HIBP should be
worth 8-9 figures. Can we think of a company with this slide in their deck and
that valuation?

In the end, he gets to term sheets with one potential company, and goes
through what appears to be a full-fledged warrants-and-reps due diligence
process, the completion of which is rewarded with a polite "no thank you" from
the company.

This seems like the longest, most expensive job search anyone here has ever
read about. I _assume_ he paid KPMG for their work on this, and what KPMG did
here looks to me like malpractice.

We give YC a lot of shit and they sure deserve a lot of that shit, but it's
not unusual for me to look at a security founder story and think "this person
really, really would have benefited from going through YC".

I like what Troy Hunt is doing a lot and he seems great. I hope things go
better for him building this project up without trying to shop it for new
owners.

† _The exceptions to "bought not sold" that we read about most frequently here
are companies put up on company-flipping brokerage sites and sold solely for
their revenue streams._

~~~
AceJohnny2
> _the completion of which is rewarded with a polite "no thank you" from the
> company._

My reading is that the interested company, being the large amorphous blob that
it is, decided in some separate cortex to change their business model while
the due-diligence nitty gritty was underway, and Troy decided to cut out.

------
brownbat
It's interesting what HIBP reveals about both attackers and defenders.

HIBP held a long randomly generated password I used exclusively on tvtropes.
It was in plaintext in a pw dump, suggesting they weren't even hashing at the
time.

I contacted tvtropes a few times but got ignored with no announcement.

It's not a banking site, not sure what we should expect. But given compelling
evidence of a breach and making no announcement to users seems irresponsible.

------
Thorentis
Sorry but, how is Have I Been Pwned anything but a text search of data that is
already publicly available?

Normally a company is valuable because of some kind of value add. Either they
generate data nobody else can, or they do something with that data nobody else
can. HIBP does neither of those things. It literally searches one column of a
database, and tells you if there was a match. You could run HIBP using a total
of 1 SQL query, with a fancy template in front. It's essentially just a hobby
project of a software dev. who wants something to do on the side. It is
infinitely more valuable to Troy as a resume booster than to any company.

~~~
peterkelly
From the article:

"Anyone can cobble together a website with some APIs and load in a ton of data
breaches, but establishing trust is a whole different story. Trust in the way
I run the service is an absolutely pivotal part of HIBP and it's something I
built organically rather than setting out to earn it, now here I was with big
companies putting a value on it."

~~~
Thorentis
Yeah, so it's nothing but branding. There is nothing about this site that
requires trust, since the data is already available. HIBP got popular on
Twitter / the internet and is now a well known name in cyber.

~~~
Gigablah
Well, to be pedantic, it's not just a simple SQL query, it's also a
percolation query server and notification system.

It's like saying that Pingdom is nothing more than a cron job.

------
badrabbit
He should really have built a password validating/auditing software for
commercial use.

I used hibp in a corporate setting, like most others I looked to see if there
was a way to check AD and Linux for bad passwords, a few people had some open
sourcey things that only work retroactively with manual execution. We
evaluated the need and decided on pursuing an unrelated commercial product
that does all the password auditing using known bad passwords among a long
list of other things. Since the start I wondered why HIBP did not do this.
Having existing enterprise customers would have given him a lot more leverage.

~~~
nextgens
That's basically what we've done with
[https://safepass.me/](https://safepass.me/) and
[https://pwncheck.me/](https://pwncheck.me/) ... and HIBP is the dataset we
ship to our customers by default. If you are still looking to validate
passwords when they're set, give me a nudge :)

We don't advertise the linux/PAM support since we have failed to find a market
for it (usually things end up being hooked up onto AD one way or the other)...

------
notlukesky
Anyone have a clue who the potential acquirer was? Just curious as to whether
they wanted the brand of Troy Hunt as the databases are public and most
technically savvy organizations can put one together.

~~~
peterburkimsher
My personal guess is Mozilla (not sure whether Corporation or Foundation).
Their mission and vision seem to align well with Troy's views on privacy and
security, but for reasons unrelated to HIBP, they're cutting costs.

[https://techcrunch.com/2020/01/15/mozilla-lays-off-70-as-
it-...](https://techcrunch.com/2020/01/15/mozilla-lays-off-70-as-it-waits-for-
subscription-products-to-generate-revenue/)

~~~
deedree
Yes, that would be my guess as well. They seem(ed) to be the most aligned with
his mission. Giving him the freedom to stay in his home while also being in a
corporate environment that could give him the necessary know how and back up
to grow his baby.

------
gadders
After reading that, I think that what Troy needs is an employee or two
(assuming the business supports it).

------
AdmiralAsshat
> So we wrapped it up, I got the single largest bill I've ever received in my
> life and then I sat down and started writing this blog post.

Where did the bill come from? Did he get billed by the prospective buying
company for _not_ purchasing him?

~~~
michaelt
He hired KPMG to help him court possible buyers, I'm guessing it came from
them. They talked to 141 companies, and I doubt their hourly rate is cheap.

~~~
johns
They get paid a portion of the proceeds of a sale (or raise if you decide not
to sell and raise money instead). The bill was almost certainly from his
lawyers. I went through a failed M&A process and we were left with a 90K bill
for it.

~~~
JumpCrisscross
> _They get paid a portion of the proceeds of a sale_

This is true for most M&A. But with KPMG, last I saw, they charge a retainer
that must be re-upped from time to time. (The joke was that's what you get
when you hire accountants as bankers.)

~~~
samcrawford
Having been through a similar process with KPMG (that ended similarly), I can
confirm that they operated on a retainer basis and it did need to be re-upped
from time to time. The vast majority of their remuneration was a success fee
though. This is pretty standard for the industry.

------
saagarjha
I believe that Have I Been Pwned provides a useful service, but I find it very
strange that needs to be valuated and sold like a startup when it’s
essentially been able to survive because people singularly trust Troy with a
bunch of illegally obtained material. Like, how do you buy that; how could you
ethically and legally make money from it? Why can’t it just continue being
supported by contributions?

~~~
lidHanteyk
A key feature of our society is that many things are given away for free and
supported by an advertising infrastructure.

~~~
toomuchtodo
I emailed Troy to ask if he'd consider operating it as a non-profit utility
similar to Let's Encrypt, and offered to help (because it's only fair if you
come with an ask).

~~~
tbyehl
I've been sitting here wondering why bringing HIBP into an existing non-profit
foundation wasn't the desired outcome. Having HIBP under the control of
corporate interests seems icky.

~~~
pbhjpbhj
Do we know for sure it wasn't? Couldn't Mr Hunt have wanted Mozilla to take
over, but they weren't keen .. what other non-profit options fit here? Apache?

------
cynusx
I think that's good that he doesn't sell, having built a enormous marketing
presence and gained market trust is only a minor step away from actually
monetizing that. Selling what he has right now does indeed come with golden
handcuffs (sucks), but also any purchase price would come in vastly under the
projects' potential.

He could easily leverage this marketing presence to build a security SaaS
company, create a huge conference, launch a big consultancy,...

If you value independence then running your own profitable balance sheet is
the best thing you can do.

Hell, it wouldn't even be hard to attract talent to the cause at the point
he's at.

~~~
dewey
> He could easily leverage this marketing presence to build a security SaaS
> company, create a huge conference, launch a big consultancy,...

If it would be so easy it would've been done already.

~~~
cynusx
He doesn't have the plan and associated funding and the people in place.

Maybe easy is the wrong word, but he's definitely well-positioned to reap more
reward of what he achieved so far

