Hacker News new | past | comments | ask | show | jobs | submit login
Project Svalbard: The Future of Have I Been Pwned (troyhunt.com)
700 points by benmarks on June 11, 2019 | hide | past | favorite | 145 comments

But we see that so often. The original founder of a thing has a list of requirements he wants met, he wants to stay onboard. But then stuff happens and the buyer uses his control. Think Instagram, Whatsapp, Tumblr(?) - there are thousand examples.

I'd hope Troy reconsidered the "just create a business yourself" solution. That could be structured in a way that makes sure the trust Troy earned stays linked to the project. And a bootstrapped company starting from the profitable position I assume HIBP is in now (with the business deals) does not at all have to mean more work for him. He could just offload the work he can't handle anymore to employees.

An acquisition to anyone not as trustworthy as the current solution/the candidates like Mozilla mentioned here would be a disaster mid to longterm.

This isn't, by no means, a belittlement against Troy Hunt, but here are some things to consider:

What makes Troy Hunt any more trustworthy? Do you think he can't make a mistake? What if his operation suddenly can't handle something because of X reason? What if he's breached himself or any of the services he's using break down or worse, provide invalid data or incorrect data? What if user Y searches his site, finds out they aren't vulnerable due to a missed data dump or data dump that isn't been loaded yet, then all of sudden gets compromised? Who's to say his employees won't screw something up.

Troy is right. He can't efficiently do this anymore. From the architecture I've seen, all he's doing is monitoring a twitter feed for new data. What if that twitter feed gets compromised and he just ends up uploading password? If he's dealing with millions of records, there is no way he could "manually verify" if every record was safe to upload, yet he claims he does manually verify them without much elaboration of the process...

Imagine allowing legitimate companies to upload their breaches to the site or maybe other security companies could upload data. It could be so much more accurate. Plus the extra hardware could handle the load and help verify the data being uploaded much better than the current operation.

I'm afraid I agree with basically nothing you've written here!

I trust Troy Hunt more than I trust OP's examples of Facebook and Verizon. I also trust his competence more than I trust theirs. Whose to say that anybody won't make any of the mistakes you mention. FWIW I would doubt he would sell to either of these companies, but it's undeniable that you give up control when you sell and people have made incorrect judgments before.

Nobody is suggesting he continue alone, rather that, if he feels that they're the only two options, he take some venture capital instead of selling the business.

The main reason not to do this is the one that he's given: it may not be the best thing for him personally, and the venture capital plan may be particularly negative for him. I think this reasoning has a lot of merit.

Your argument is self contradictory because you seem to make an exclusion for Troy's fallibility by pointing to my same argument about the fallibility of others. There's no reason other than you think Troy is some super human.

Troy has basically said nothing about his manual verification process and he says its the worst part of the architecture. There seems to be no mechanism of removing your email from the list once it's added so he'll just keep adding/merging data I guess until it starts giving false positives. He doesn't have the infrastructure to make this scale into a reasonable utility. Even if he did hire employs, he's now delegating responsibility which will introduce new potential judgement holes into the process.

Simply put, it's too big for him. And it has nothing to do with trust. Venture capital is a crap excuse because now there's a profit motive for the service for something that should arguably be non-profit. Venture capital has a track record for producing several, high profile companies that make no profit for years and are compromised in themselves.

The best thing he could do is pass it to Mozilla or some other tech non-profit. It would be even better if it was a government service.

Remember, the founder of Facebook still runs the company. It got big, and look what happened.

The argument was not self-contradictory. I did not say that Troy was infallible, I specifically said that anybody, not just Troy, could make the mistakes you listed. That was to demonstrate the fallacy in your argument that he should give up HIBP because he might make mistakes.

Contrary to what you say, Troy has detailed his verification process. There also is an opt out form on the site which will allow you remove your email from the current dumps and future ones.

Troy is talking about somebody acquiring HIBP. This implies he is not necessarily looking to give it away for free. There are already paid aspects of HIBP.

I would have no issue with it going to Mozilla.

I can't tell if you're joking by suggesting he give it to a government or by comparing him to Zuck.

I guess we're at least agreed on Mozilla, who he is already talking to.

I looked at his architecture diagram and his complaints about it. He specifically cites his manual verification process as being a problem and does not go into detail on how its done. How do we know dumpmon is legit? The file is a legitimate compromised file? Whether the file contains adequate data and is adequately scrubbed? Why isn't HIBP open source?

And what I was trying to argue is that we shouldn't put so much faith in one man. Whatever he does, it will, more than likely, not be feasible for him to control all himself. Especially with the legal ramifications of storing private data.

And I don't know why you think it's a joke to trust the government with something like this. We trust them with a lot more dangerous things. Considering it's the only entity that can compel a business to do something, it could actually work out if there was ever a law requiring breaches to be reported.

> FWIW I would doubt he would sell to either of these companies

He might not, but 6 months later the company he sells to *might. Or if public could be taken over with little choice in the matter.

As you say, control is gone once he sells.

But until that point, you might have a good enough product: One that has momentum and requires effort to corrupt, that users are aware of and have expectations about, and that presents value that people otherwise might not have known is possible. Control being lost doesn't necessitate that all the value & impact is lost with it.

I understand Troy, especially his fear of a burnout. That's no joke. I think there are several interesting companies, besides Mozilla. I could see F-Secure making an offer. HIBP ticks a lot of boxes when it comes to business security, password reuse beeing a big issue there. Mikko and his team have a proofen track record and are well connected in the grey-hat area. Plus, they are in Finnland, near to Norway :)

If F-Secure is in Finnland, doesn't that mean they would have to delete user data on demand, undermining the service in doing so?

Undermine the service for who? The person who asked to have their data removed or the company who is interested in data about a specific person. If the answer is the latter then I think its fair that the person can ask to have their information removed. I think that Troy understands this distinction too and I also hope that HIBP remains that way.

I wonder if you just have passwords and don't link them to usernames, then that wouldn't be "your data" because it can't be connected back to you?

>I could see F-Secure making an offer

I'd be surprised if F-Secure made another acquisition so soon.

For context, I've sold a business, been a full time entrepreneur for about 16 years, got it wrong many times and am currently the founder/CEO of a biz with a team of around 40 people, strong cashflow and we continue to grow and innovate - and we're founder controlled.

I met with Troy briefly for coffee about 8 to 12 months ago and we chatted a bit about this. I sensed his aversion to growing the biz back then. Seemed like he'd made up his mind. This post from him reinforces that. Even so I feel compelled to post a few thoughts.

Troy is an implementer. I was too. I was a dev guy who started as an ops guy. I really really wanted to build a business and for over a decade I tried to do it myself by writing my own code, doing my own ops, doing my own marketing and so on. It was very very hard, and after many failures and almost financially ruining me, I got to a place where I have an amazing biz and amazing team and I've turned myself into an exec who is no longer doing the day to day implementation, but is leading and coordinating.

This transition is very hard to make for folks like most of the people here - including myself. You have the sense that it's all on you. I need to repeat that in caps because that's how it feels. IT'S ALL ON YOU. I think this deep sense of accountability is what makes great devs and great ops people very good at what they do. But it also is perhaps what leads to burnout.

For an entrepreneur, it really is all on you. That work isn't going to do itself. And so that sense is even more visceral when you're a one man show. Now imagine you're running at the scale of HIBP. Pretty hardcore.

When I made the transition to being a leader and once I had a team behind me, the feeling was a bit like I'd imagine one might feel getting over a traumatic experience. It took a while. I felt like I could breathe again. I never wanted to go back to that place, if I have to be perfectly honest. It's a rough gig.

I think the trouble here is that Troy thinks that scaling HIBP is going to be more of the same. More of everything being on him, more work, more implementation, more accountability, more more more!!!

It doesn't work that way and I'm going to use my own path to growing a team (and regaining my sanity) to describe how it actually does (and can) work.

If one were to not sell HIBP and not raise money but instead grow it yourself into a business, it might work thusly:

1. Immediately work on developing strong cashflow for HIBP. Unfortunately this step is going to take some implementing from Troy. However, with good planning, you can probably hire some help and perhaps even do so in exchange for equity/options if you hire a good lawyer and can structure a cost effective deal. This stage is critical and I'd encourage Troy to get as much advice from other seasoned entrepreneurs as possible. Not folks who have raised VC, but who have actually created cashflow out of thin air. It's a dark art, but many of us know how to do exactly that.

2. Once you launch, it will take a while for the full revenue potential of the business to reveal itself. Cashflow takes a while to kick in and you will take a while to optimize it. e.g. many simply won't know that HIBP now has a paid option. That will take months, perhaps longer. So keep working and wait it out. I've seen this in every single successful cash generating biz I've created. At first it's a trickle, then a stream, then a river, then a wonderful fun and exciting deluge.

3. Once you can demonstrate that the biz is clearly going to grow into something with strong cashflow, you can start making your first hires. I would suggest hiring dev first. At this point you are going to have to do something very difficult. Step back from the coal face and trust your first employee. This was huge for me but thanks to Harvard Biz Review etc writing about this founder dilemma over and over, I was primed and I wasn't going to be the baker that can't get out of the kitchen. So I 100% delegated the job to an amazing person who remains with our team to this day. Once I could hire for ops, did the same. Rinse, repeat. Grow the team.

4. As your expenditures increase, you will need to be very good at managing cashflow. That is because at some point growth will pause. When that happens, if you don't realize that you will run out of money in X months, it will sneak up on you and you will lose the business. It happens every week around the world. Execs take their eye off the cashflow for a few months and byeeeee. Not everyone has the appetite for finance. Some are mildly or even severely allergic. I'm on that spectrum and thankfully my co-founder has a passion for it and happens to be very good at it. This has literally saved our asses and we too went through that growth pause. So if you are allergic, find someone who isn't. This is critical.

Once you do the above, if you build a team you can trust and you are very good at stepping back, finding and motivating talented people and carefully guiding the direction of the biz, things can get weird. You'll see a lot of executives talking about burnout, about how they work 20 hour days and the pressures of being a leader etc. But in your case you'll find that you have more free time and more mental bandwidth to shape the direction of the biz. You'll wake up one morning not sure what to do because you won't have a job anymore. You will have fired yourself from dev, ops, customer service, finance, HR, marketing, blogging and everything else. You'll go "oh shit, what am I supposed to do?"

The answer to this question is really fun: Whatever you and the business want to do. And guess what? You have a CEO who is the company founder and has a ton of energy and bandwidth to continue innovating.

That's pretty much the end of this post. I want to add a few more notes:

Delegating is hard for several reasons: If you're a dev and you have to delegate dev, you need to realize there are developers out there that are better than you and you will need to learn to trust them. You also need to understand that you're firing yourself from a job you are passionate about - a job you have loved and gotten very good at for many years. This is tough.

To scale a biz, you need to continue to delegate, even the things you love doing. Troy loves blogging and he writes epic tomes. But this too will need to be delegated if he wants to run at maximum effectiveness. I know. I did this. It was very hard. But I now have about 5+ writers in our organization and it's freed me up to launch a video podcast which I am already beginning to delegate to a certain extent.

VC is certainly an option, but know that each round you raise will also raise the bar on what success means. Right now you own the biz and success means a team that frees you up and cashflow that pays everyone better than market rate salaries. After the first round, a $20MM exit will be the definition of success. After a B and then C round north of $100MM will become success. And so it goes.

I'd also like to note that HIBP has built an incredible brand and growth. This is very hard to do. As Naval put it in a conversation I had with him not too long ago, it's lightning in a bottle, and I truly think that HIBP is a great example of lightning in a bottle. This won't happen again in Troy's lifetime. And what he has right now makes it very easy to: recruit, hire, retain, get help from other entrepreneurs, find customers, convince them to sign up, convince them to pay, get them to continue to pay, etc. The list of benefits is long. This kind of biz and brand is very hard to create. Troy's personal reputation is sterling and he's one hell of a nice guy. He is young, smart, healthy, well spoken. Seriously, you don't see this very often and it won't happen again, so choose your path wisely if you're reading this Troy.

And finally - and this is really why I'm writing this as a reply to onli's post - because I agree with their sentiment. Have no illusions that once you sell, you 'exit' in a very real sense. You are no longer the owner of the business. You are an employee. I'll also add that M&A folks are VERY good at selling the dream. I was recently at a certain multi-billion dollar company's offices who were trying to buy us. Their offices are based on Lake Washington up here in the Pacific Northwest. The M&A guy actually suggested that once we join their team we can ride to work in our boat. But in his defense, that's his job. Sell the dream. However, in this case I know the reality because I've been here before. Monday morning after you sell your company you will commute to work in a car, sit in a cubicle or office if you're lucky and you will do what you're told to do by the new owners of your business.

You will stare through those bars longing to roam the great plains once again as a free and wild creature in control of your own destiny. Or as Bodhizafa said in the final scene of the original Point Break: You know I can't handle a cage man!

HIBP shouldn't be for profit because it's harvesting personal data and it should be used as a mechanism for people to be aware of serious breaches. There's a lot of legal entanglement possible with this with HIPAA being an example of what can happen. It's probably a more difficult path, but in my opinion, HIBP should be a tax funded service because it's largely a public good product.

Fantastic post. This is exactly how it goes, especially with a bootstrapped company. Detachment and delegation are everything.

Excellent, excellent post. I do hope Troy reads it.

Hear, hear. I hope Troy, and others in similar shoes, will read this and consider it carefully.

I cannot say enough praises of Troy and HIBP. But it is a risky operation.

I understand HIBP derives its value from grey-ish hats sharing with Troy any leaked dataset they find because they know him or because of his reputation.

If he leaves, it is not clear to me that his trust and reputation will stay behind with the company running HIBP. The minute HIBP ceases to be the central place for these new datasets to be shared, it ceases to be of any practical use.

> I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.

He's made it pretty clear in the blog post that he intends to stay on and has acknowledged that his reputation plays an important part in making HIBP what it is.

Which matters little, because it matters who the ultimate boss is.

It's common for a founder to say this. It's extremely rare for a founder to actually stay aboard.

One this is to trust a person. Absolutely another - trust whole company where this person works.

I share your concern. This is similar to many problems in the InfoSec community which can not simply be solved by a corporation by throwing money at them but instead require long-term cultivation of contacts, trust and expertise by a few / single individuals, something that money can't buy.

Yet Troy uses all these companies to formulate his entire operation. What do you think he uses to verify whether the pastebin files are malicious or not? You think he wrote his own malware detection software?

Something to keep in mind is that the datasets being shared with Troy are almost all already available on underground forums, some openly, some for sale.

I keep hearing about this, but every time without any reference. Where and how can one visit such forums?

Raidforums and similar have them. You occasionally find them on reddit and small security blogs. I collect data breaches, and usually by the time you hear about one on HIBP it’s making the rounds on a variety of forums. Only on a few occasions has Troy actually gotten anything exclusive.

I don't know any off the top of my head (no, really.) but I'd bet searching DDG for "Hidden Wiki" and using tor hidden services would get you in the right direction, and probably put on a watch list or two.

And whilst its impossible to police effectively the datasets on various forums, it seems KPMG and Troy Hunt are just not aware of the fact that GDPR exists. https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

Its quite interesting putting in various peoples email addresses to see what sites they are linked to. Maybe once he has made some money out of it, a GDPR claim and financial settlement can be made as he's made no steps to control the data privacy of Europeans.

Yes, you're right, I'm sure that the guy who is at the forefront of campaigning about personal data protection, has been running this service for years, has advised governments on privacy breach regulation, and has contracts to help european governments monitor their domains for breaches, has no idea whatsoever about the most prominent personal data regulation regime in the world.

Oh wait: https://www.troyhunt.com/free-course-the-gdpr-attack-plan/ https://www.troyhunt.com/new-pluralsight-course-the-state-of... https://twitter.com/troyhunt/status/1017679101698572295

Authorities now handling it, out of my hands. I dont want my details appearing on that website so anyone who knows me can put my email addresses (past and present) to see what hacked sites or databases its appeared on.

That's the whole point. You can see the data that criminals are using and seeing. Don't blame the guy telling you about it.

It looks like he's based in Australia, so Europeans wouldn't have to worry too much about having tariffs rained down upon them in retribution. I say go for it.

Does this really fall foul of GDPR? I would have guessed that once your data is in the wild, there is nothing in GDPR that applies. GDPR puts certain responsibilities on groups you give your data to treat that data in certain ways in terms of who it is shared with, which would not seem to apply to someone offering a lookup of an in the wild dataset.

I'm curious if my naive understanding of this is wrong.

Presumably it's partly questions like these that make Troy Hunt eager to find people with money and lawyers to help him host this thing.

I’m not sure how GDPR applies to HIBP. GDPR is all about data that is shared by the user. But HIBP is about data that hasn’t been shared by a user, but rather, is available publicly.

It’s a grey area at the very least.

> GDPR is all about data that is shared by the user.

No it isn't. It covers my data no matter how you got it, with a few exceptions.

EDIT: Please feel free to point to the legislation showing that GDPR only applies to data supplied by the subject.

You're not wrong, but purely from a practical standpoint, your data is out there and without a service like this to hold these companies to account, they could cover things up/downplay the situation/be too incompetent to know they've leaked data.

An operation like this levels the playing field and lets us collectively hold companies to their responsibilities.


"The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances,[2] the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation does not apply to the processing of data by a person for a "purely personal or household activity and thus with no connection to a professional or commercial activity." (Recital 18) "

The EU laws apply to people and entities outside of the EU, he is not immune from these EU laws because he is affecting the lives of every European who has an email address in this website.

>GDPR is all about data that is shared by the user.

Wrong, wrong, wrong.

GDPR covers the processing of any data about an identified or identifiable individual.

It’s a very easy fix, confirm ownership of the email address before exposing the results.

Only if in possession of the email address or domain name. Where an email address or domain name has been taken over by someone else, then sending the results to the email address instead of currently showing it on the webpage doesnt solve the problem. This data set is ripe for blackmailers, intelligence services and any company looking for intelligence on rival businesses.

...if the password for said email address is already visible on the same page (assuming negligent password reuse) what kind of verification could you hope for?

Have you actually used HIBP?

> Maybe once he has made some money out of it, a GDPR claim and financial settlement

Do you think GDPR fines go to the person, and not the regulator?

People can sue (Article 79) and claim compensation for actual damages suffered (Article 82) due to a violation of the GDPR.

Administrative fines levied by a supervisory authority generally don't go to people who have had their personal data processed illegally, though.

I'd love to see a non-profit organisation like Mozilla pick this up, but that's obviously going to mean a lot less money going to Troy.

OTOH, it's kind of difficult to begrudge Troy gaining financially from HIBP, since he's spent years building it up and has helped increase security awareness for so many people.

I feel like Mozilla is well-positioned to meet Troy's requirements. It won't be cheap for them, but I think their branding is much more in line with his goals than the large FAANG tech companies.

It makes sense to tie it into the Firefox Account password manager too. Mozilla could leverage Troy's close connections with industry to have Firefox as the recommended secure & open-source option for enterprise clients.

Something that hasn't been touched on as much is the limitations that come with contracts for large commercial companies. Side projects are often expressly forbidden. Yes, Google with give you 20% time to work on your own ideas, but you can't then upload it to your personal website and call it your own - it becomes company property and may never see the light of day. I imagine that Mozilla are more open-minded in that respect. They also have plenty of experience with remote teams, which would work well for his family/travel tradeoffs.

Please, Mozilla - if this opportunity is offered to you, take it.

Troy works with Microsoft currently, so I doubt it would work with Mozilla as MS have Edge

Microsoft Regional Director don't work for Microsoft. If that's what you are referring to. They are recognized by Microsoft based on one's expertise & skills.

Ah yes, my mistake.

No, this shouldn't be used to segregate browsers. You just end up cutting a tonne of people of from the benefit unless the subscribe to the "we're sending all your DNS calls to third-parties and installing plugins you can't remove to advertise stuff you don't want"-browser.

Given Mozilla's current direction in terms of looking for more revenue streams, it might be quite well timed - if it can be commercialized successfully on the B2B end, that is.


Mozilla also recently launched their own version of HIBP that just gets the data from HIBP and passes it to their users: https://monitor.firefox.com/

Though just realised, they're not that upfront about giving HIBP credit - If I were Troy this would peeve me a bit.

It's not massively advertised on the homepage (though in some respects, I think outside of infosec circles "Firefox Monitor" probably sounds more professional/neutral than "Have I been pwned").

I think they discussed HIBP in the launch announcement: https://blog.mozilla.org/security/2018/11/14/when-does-firef...

It's also in the FAQ: https://support.mozilla.org/en-US/kb/firefox-monitor-faq

Just tried it, they specifically write "Breach data provided by Have I Been Pwned" at the end of results.

I thought the same when I initially was prompted about Firefox monitor at the bottom of Firefox's new tab page.

Was a little peeved at what seemed like a copy, but I have now realised it is just building on top of Troy's work [1] which is even better because of Firefox's larger reach.

They don't have to have a blinking marque text at the top attributing it to Have I Been Pwned. But they could have mentioned it on the front page somewhere that HIBP is one of their main sources. I trust HIBP, therefore, more value to Firefox Monitor had I known that link.

[1] https://www.troyhunt.com/were-baking-have-i-been-pwned-into-...

> I trust HIBP, therefore, more value to Firefox Monitor had I known that link.

If you trust HiBP, you don't really need Firefox Monitor. It was created specifically to reach people that HiBP could not reach.

HIBP only works because of trust in Troy Hunt, few organisations have that.

Maybe an organisation not involved in advertising at any level.

It's definitely trust in Troy, and the level of transparency he's maintained, that have led to HIBP being successful.

But I, personally, would now trust Mozilla with this, were there to take ownership.

I was just thinking, the only ones I can imagine taking ownership would be one of the "big internet foundations" that have earned their trust: Mozilla, the Internet Archive, Wikimedia, or the EFF. Of those, Mozilla and the EFF are the only ones that make real sense. I hope it's one of them, and not fucking Norton AntiVirus or whatever.

I agree about EFF - I'd be happy with Mozilla or EFF.

Could they leverage some sort of Troy partnership / oversight?

"Troy Approved!"

Mozilla is a good group, they've had missteps but I find them trustworthy and the combination would be pretty trustworthy IMO.

A Mozilla acquisition of HIBP could look alot like Mozilla buying HIBP from them, and then bringing Troy on board for a period of time as an evangelist, and the nature of being an open source, community focused org means that Troy could retain his ties to Mozilla as long as he wants to, as a staff member or volunteer.

I don't know how much has changed since I left Mozilla, but there were, and probably still are, a number of former employees and volunteer contributors that had a great degree of influence and input on various projects.

Heck, Troy might even be a good potential addition to the Mozilla board of directors at some point in the future.

It calls to mind the trust in Jon Postel, who managed DNS through IANA for about 10 years basically alone until his death in 1998 and IANA's subsequent transfer to ICANN (which had just been founded).

Since Troy will still be involved, hopefully he can steer things in a direction that benefits everyone - or at least warn the public otherwise.

I also think that HIBP is something of a "public good" and would be best for some sort of non-profit or another. Mozilla is possibly the best currently aligned, of course.

Another weird thought is that it's the sort of "baseline infrastructure" that should be "governmental" to the internet. Unfortunately the closest I can think to an existing model for that is ICANN and that may not be something to emulate.

I hope that the SHA1 hashes remain freely available for download. I use them to build a bloom filter for password vetting.

We should all do away with password complexity rules (except minimum length) and simply test a large, comprehensive exposed password bloom filter for membership. It's very fast (constant time) and efficient and if the test returns no, then it's safe for a user to select that password.

Here's the code: https://github.com/w8rbt/bp

Also note that this approach satisfies the updated (June 2017) NIST 800-63-3B password vetting guidelines.

Cool! I did something similar. First I used a bloom filter then a golomb set. https://github.com/terencechow/pwnedpasswords

Very nice. I've never used a Golomb Set (looks interesting). I bet we'll see more organizations doing this and maybe in five to ten years, it'll be the norm.

That doesn't work, because of hunter2 is in the PW database but hunter3 isn't, your system will think hunter3 is secure even though it's not.

I think it should be two step - checking against the list and if that passes, complexity check. Covers complex passwords that are known to have been in use/leaked and non-complex ones too.

Totally off topic, but still...: Many years ago, the New York Times did a lengthy piece about the Svalbard Seed Repository, referring to it as being located on "the island of Svalbard." It took repeated emails/corrections/tweets by me before they finally corrected the story and noted "Svalbard is not an island, it is an archipelago." All subsequent references in the Times have got it right.

Here is the correction, published on April 22, 2010: https://archive.nytimes.com/query.nytimes.com/gst/fullpage-9...

Here is the (corrected) original article — with correction appended — published on April 15, 2010: https://archive.nytimes.com/query.nytimes.com/gst/fullpage-9...

I'd like to see Let's Encrypt step up and run this service. Seems like a natural fit.

ProtonMail/ProtonVPN would also be a good fit, but I doubt they could afford it.

Just because they're tangentially related to infosec in some way doesn't mean they'd be a good fit.

IIRC aren't there actually privacy concerns regarding Proton? That may just be FUD.

Plus, I doubt they would maintain the level of transparency we've come to expect from HIBP. They don't seem very... transparent.

Why would they be a good fit?

It's a shame as this is likely to mean that we end up with a worse service, but completely understandable. hopefully, I will be proven wrong

This is really public utility work and should be treated like it instead of a for-profit project. Many thanks to Troy for his hard work over the years for making the internet a safer place.

Sad, but people don't like paying taxes..


Worth mentioning that the value of HIBP is largely based on trust in Troy Hunt. I think he’s an incredible guy who does incredible work; but he’s also an Australian citizen. Due to our new surveillance laws, he could be forced to backdoor HIBP, or more likely, Pwned Passwords.

This is possibly a step by Troy to mitigate that risk, and given his position I’m surprised he didn’t mention that at all in this post.

I think Troy probably has more than enough social credit to simply ask for help on Twitter and receive pro-bono legal representation if regulators somehow embarked on a misguided attempt to target him or HIBP.

What would backdooring HIBP achieve?

It's not a repository or method of communications.

Pwned Passwords uses tricky crypto to make sure his service never sees your full password. He could use trickier crypto to make sure that it does.

I think that's a bit of a reach.

That's all client/requester side, which has been implemented on third party sites/services. There'd be a lot of questions raised if suddenly it required that you use a different technique.

A more subtle and (IMO) more realistic variant would be to backdoor the javascript to capture all input on that site instead.

But you have to ask yourself - who would be the government target, in that case?

They'd have to:

- Have a technically sophisticated target where the government doesn't know their password, and is unable to otherwise break their security (eg forcing Google/Apple/Microsoft/etc to do the work, cloning devices, regular surveilance) - Have that same target also regularly test their passwords against a password strength meter on the public webpage. - Be willing to risk a public leak that this was happening.

I don't think that anyone who meets the first point would be stupid enough to meet the second. I mean, sure, people make plenty of dumb mistakes - but surely not that one, repeatedly.

It is a reach yes, but that doesn’t change the fact that Troy is in a position of trust; which may not be wise given his citizenship.

In some ways, wouldn't it be great if the internet had evolved with, analogously to DNS, 'User Name Servers', like a sort of global distributed IAM?

Leak monitoring would be a service provided by the UNS, not falling to a volunteer, and credential revocation could be automatic and immediate.

I suppose we sort of have that bolted on with OpenID/OAuth, but that's still 'choose a provider' rather than 'this is the one way', with many servers run by different entities, but one 'system'.

It's existed since 1988: LDAP/X.500[1] It's just not used globally because of three reasons, as far as I can tell,

1) most people don't want their information public and searchable to that extent

2) most orgs _want_ to silo you in or otherwise control your account

3) the org using x500 still needs to have their own permissions separate from the central directory, which is the harder part of auth[nz], so just rolling your own authn is often easier.

[1] https://en.wikipedia.org/wiki/X.500

Ah yes, and Shibboleth is another I should've thought of in earlier comment.

I think you're absolutely right in particular with #2.

But if it had come originally, alongside DNS, 'everything has an address, everyone has an identity', it might've been an unquestionable fact of the internet.

Orgs can't silo you in to their alternate net where they have a more desirable domain name, because it's just not practical or user friendly.

I just think it might have been so for user identity.

There is a recent RFC which applies the DNS to security checks for passwords, credit cards, etc. https://tools.ietf.org/html/rfc8567

At first glance it seems worth reading properly tomorrow. Except, '1 April', is it a gag RFC? (In a way, I suppose, it doesn't matter - those tend to be as worthwhile!)

The critical flaw (for users) of Oauth is that there is no portability between providers. Unlike a domain name, You can't move your login ID to a different provider

HIBP could be an excellent B2B offering for companies. Imagine someone like Microsoft offering it as an addon to their business clients to improve security practices.

Or a more independent company offering it as a standalone service, kinda like Mozilla (Monitor) or even something like Symantec (tho they seem to be bleeding money recently)

Mozilla monitor is just a front-end for HIBP though, as far as I've seen they exclusively get their results from HIBP.

1Password's Watchtower feature uses it, I'd pay a few bucks extra for the functionality if required.

Many people here assuming that Troy Hunt will leave HIBP after selling it. He explicitly mentions that he will remain a part of it:

> I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.

HIBP has little value without Troy, so he has to come as part of the package.

But for his own well-being over time he needs to delegate and divest himself as the single bus factor for HIBP. But that does not have to happen instantly and can be gradual without affecting the value of HIBP (in money and usefulness for us).

Whoever purchases HIBP also knows this. And as with most acquisitions, they eventually oust the founders. But for it to be successful it is after a long time when it has properly matured into an organisation.

I understand his intent. This just isn't my first rodeo. It's not uncommon for there to be talk of grand intentions to stay on and lead after acquisition. It rarely works out that way.

> at present

I guess he's feeling the heat of sites that do more than parsing emails from SPAM lists. These sites include full cracked passwords, HIBP 2.0, see e.g. https://scatteredsecrets.com/.

Brewster Kahle, are you here? This seems like something in your wheelhouse.

I missed this verifications.io story and it appears that my personal email address was in the breach. Is there any way of knowing whether or not other data was associated with my listing? DOB etc.

It pains me to see how many posters on this thread are not aware of the leakedsource (.ru, .co, etc.) websites that show the exact thing HIBP shows, except with a much higher fidelity.

Good luck to Troy. The money would be really good, but hopefully for the rest of us, he doesn't sell to Cisco.

Or Oracle, or any other mega corps that buy and nerf the usefulness of the product.

I came here hoping it was something about Svalbard. I went there a couple years ago in the dead of winter. It's an amazing place.

Tell us more! I'm planning for a longyearbien/svalbard trip towards the end of this year or summer next year.

Sure, what do you want to know?

I went in the dead of winter, so might be a little different from what you might experience in summer. https://www.facebook.com/dheera/media_set?set=a.101010917929...

I wish you luck, Troy! Just don't sell it to some data mining/ad company.

Maybe relevant for Stripe? Based on their acquisition of Indie Hackers, it seems like they’re adept at this kind of acquisition. And online security contributes to their goal of increasing “the GDP of the internet.“

So many people saying the value of HIBP is the trust in Troy Hunt. But surely I'm not the only one that has used the service for years (and shared it with friends) without knowing anything about Troy Hunt...

Social credit and trust has a way of naturally propagating. Trust, beliefs, even world views are more often "caught" than deliberately and carefully chosen -- to the detriment of many. All it takes is a few liars with the appearance of trustworthiness to spread false beliefs very widely.

Note, my comment is not about Troy. Security-wise, I think the trust he carries is well-deserved.

The trust is coming from infosec people who are sharing their datasets with him, not really from users.

Troy is an awesome guy and I’m really happy that HIBP is outgrowing him to get more support, datasets, and features.

I hope Have I Been Pwned goes to the right people and they do an even better job at moving it forward! Kudos Troy

Guys whats the fuss about -- its just a stupid database - anyone can make this by scraping hacker spoil dumps available on the internet.

I hope that other companies will still be able to query to the database for free. 1Password does it now and I like it.


He's realised he's the single point of failure, can't do it all himself, wants to balance work & family. Doesn't want the work/cost of hiring people and making a business.

So, he's preparing to sell it and there's a wishlist of what he'd like the new owner to do.

Did I get it all?

Also he’ll stay on as part of the package.

His blog is really good, I have enjoyed reading his other posts as well.

TL;DR: Have I Been Pwned is for sale and is being renamed Project Svalbard. Troy is looking for buyers that will keep the service free, and he'll go work with the buyer.

AIUI, “Project Svalbard” is the name of the project to find a new home for HIBP. The actual service isn’t being renamed (yet).

It is indeed common to have a "project name" when buying/selling a company - but in my experience that has always been largely for reasons of secrecy, so it is a bit odd in this case.

wasn't HIBP going to a B2B SaaS that you hook up at signup to forbid users to signup with an email/password combination that has already been leaked? I'm a SaaS owner, I would pay for that.

So why was the owner of LeakedSource arrested and charged, and this guy isn't?

He did the same thing. Only instead of selling to hackers, he sold our hacked data to companies and governments.

I agree with your sentiment, but there is the difference in criminal intent with the former.

It's legal to sell armor piercing bullets, but marketing them as "cop killers" will not fly.

Does HIBP sell the raw data?

Nope. Though I suppose if HIBP itself were acquired, that would presumably include the raw data?

I sense trolling

How is making money from stolen data legal? My email address is in the database and I never consented to it. Is there no legal repercussion?

Best of luck Troy and keep up the good work!

I understand why Troy is doing this. Security is a big and a complex endeavor and having majority of the stuff done by himself alone is taking a toll.

One option that Troy could have done is to spin up a team / small company that would continue this project - with full control and guidance under his direction. That way, the trust that he has built from everyone at the community will be carried forward as the project progresses and matures further.

This will also allow visibility and transparency knowing that the people who would be working on this project will have access to him and everyone is on board on the direction moving forward.

Lots of companies / venture capitalists would be willing to support this cause which could provide the financing the project will need to be sustained and grow further.

He's still a Microsoft employee is he not?

Wonder if he couldn't just bring it in-house?

When has he ever worked for Microsoft? https://www.linkedin.com/in/troyhunt/

https://www.troyhunt.com/microsoft-regional-director/ - "I’m not going to work for Microsoft and despite the title of “Microsoft Regional Director”, I’m no more an employee than what I was (and still am) an MVP"

Ahh, the title has always thrown me off.

He was not a Microsoft employee. He is a MVP but worked for Pfizer iirc. Now he is with Pluralsight.

> Now he is with Pluralsight

You sure? As far I know, he's an independent now.

You're right, he once worte:

>I won’t be working for Pluralsight in the traditional sense of drawing a salary, but rather continuing to work with them on a heap of new things.

Summary: Troy is bored so he's selling out. Great.

I don't think it's fair to call someone who's clearly stressed and close to burnout 'bored'.

Can we move the project into a blockchain and run it on IPFS?

EDIT: Serious question, generate hashes out of the leaked logins, store them in a blockchain and provide an interface for lookup via IPFS. Those credentials are considered burned anyway so storing them for ever in a blockchain won't matter.

Being in a blockchain anyone can access the data and use them for example on a registration page.

HN has warped my view on these things so much that I'm not sure whether this is a genuine question or some kind of inside joke?

What value would a blockchain add here over a database?

A breach-monitoring service could act as a data washing service, sic.

Especially if privatized.

Blockchain is Very overrated, but it could be useful in keeping data "safe" where the temptation would exist to index or obscure results. Especially where data collection and censoring / disclosure has value to certain markets, i.e. Timed/rated or delayed disclosure, sic.

IDK, it's not impossible, but it's not my wheelhouse either.

I don't see any reuse or value to old databases and hashes being public, so it's missing that purpose to exist or be used/shared. Like a lot of blockchain is. It's not enough to exist, it has to be shared and kept alive. I suppose.

Still, If you look at the way AV and user security is handled, there are potential vectors to prevent or anticipate, especially if the process of disclosure is censored or segregated.

Perhaps also if they proactively lean towards purges or spontaneous negative actions, in order to obscure their intent or actual content / behavior.

HIBP relies on disclosure, and if it were woven into a typical service structure, there would be a temptation to "alleviate" the workload for customers, offering to "feed the beast" with positive results and competitive, defensive tactics against 3rd parties offering a similar product.

Which could segment the disclosure process, so that you would have multiple options, much the way that AV and Malware is handled.

And now you have the same failures as AV and Malware being segmented domains.

The probability of a corporation being incentivized to airbrush a 3rd party listing in a semi-corporate "index" or offering "alternatives" to anxious, very large corporations to disclosure or remediation. Especially if they deal with financial or legal data, or specific disclosure requirements.

And have problems with timely disclosure, or any disclosure.

Imagine if a clearing house for disclosure existed as a Symantec or Kaspersky "Subscription", with tiers of access and disclosure prevention for corporate members, wrapped up in a daily routine app, such as a 2FA/Password manager.

So that a disclosure would be made silently by the subscription service, without disclosing details, or the level of breach, etc. The accounts or corporations breached, would just have their entire client accounts auto-reset and the updated password would be applied to your password manager within a batch process without the user(s), the press, the security agencies, or the hacker(s) being notified.

That, instead of revealing the time period, the hashes of usernames & passwords, or the name of the user, or their IDs, it would just be rotated on a regular basis, and invisibly managed.

Its a concept with some value, ie "paranoid" security features as a service, to prevent or anticipate disaster, sic. But handled via a handshake type batch process of cycling password management.

But this also has potential for occlusion and obfuscation, especially in examples where the breach would be a crime, or need to be disclosed to federal/state/police agencies, etc.

Thankfully, most security policy would prevent this kind of amorphous takeover, but for small businesses and large businesses, having access security taken away and handled by 3rd parties, for convenience, is inevitable.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact