I cannot say enough praises of Troy and HIBP. But it is a risky operation.
I understand HIBP derives its value from grey-ish hats sharing with Troy any leaked dataset they find because they know him or because of his reputation.
If he leaves, it is not clear to me that his trust and reputation will stay behind with the company running HIBP. The minute HIBP ceases to be the central place for these new datasets to be shared, it ceases to be of any practical use.
> I'll remain a part of HIBP. I fully intend to be part of the acquisition, that is some company gets me along with the project. HIBP's brand is intrinsically tied to mine and at present, it needs me to go along with it.
He's made it pretty clear in the blog post that he intends to stay on and has acknowledged that his reputation plays an important part in making HIBP what it is.
I share your concern. This is similar to many problems in the InfoSec community which can not simply be solved by a corporation by throwing money at them but instead require long-term cultivation of contacts, trust and expertise by a few / single individuals, something that money can't buy.
Yet Troy uses all these companies to formulate his entire operation. What do you think he uses to verify whether the pastebin files are malicious or not? You think he wrote his own malware detection software?
Something to keep in mind is that the datasets being shared with Troy are almost all already available on underground forums, some openly, some for sale.
Raidforums and similar have them. You occasionally find them on reddit and small security blogs. I collect data breaches, and usually by the time you hear about one on HIBP it’s making the rounds on a variety of forums. Only on a few occasions has Troy actually gotten anything exclusive.
I don't know any off the top of my head (no, really.) but I'd bet searching DDG for "Hidden Wiki" and using tor hidden services would get you in the right direction, and probably put on a watch list or two.
Its quite interesting putting in various peoples email addresses to see what sites they are linked to. Maybe once he has made some money out of it, a GDPR claim and financial settlement can be made as he's made no steps to control the data privacy of Europeans.
Yes, you're right, I'm sure that the guy who is at the forefront of campaigning about personal data protection, has been running this service for years, has advised governments on privacy breach regulation, and has contracts to help european governments monitor their domains for breaches, has no idea whatsoever about the most prominent personal data regulation regime in the world.
Authorities now handling it, out of my hands. I dont want my details appearing on that website so anyone who knows me can put my email addresses (past and present) to see what hacked sites or databases its appeared on.
It looks like he's based in Australia, so Europeans wouldn't have to worry too much about having tariffs rained down upon them in retribution. I say go for it.
Does this really fall foul of GDPR? I would have guessed that once your data is in the wild, there is nothing in GDPR that applies. GDPR puts certain responsibilities on groups you give your data to treat that data in certain ways in terms of who it is shared with, which would not seem to apply to someone offering a lookup of an in the wild dataset.
I'm curious if my naive understanding of this is wrong.
I’m not sure how GDPR applies to HIBP. GDPR is all about data that is shared by the user. But HIBP is about data that hasn’t been shared by a user, but rather, is available publicly.
You're not wrong, but purely from a practical standpoint, your data is out there and without a service like this to hold these companies to account, they could cover things up/downplay the situation/be too incompetent to know they've leaked data.
An operation like this levels the playing field and lets us collectively hold companies to their responsibilities.
"The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances,[2] the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation does not apply to the processing of data by a person for a "purely personal or household activity and thus with no connection to a professional or commercial activity." (Recital 18) "
The EU laws apply to people and entities outside of the EU, he is not immune from these EU laws because he is affecting the lives of every European who has an email address in this website.
Only if in possession of the email address or domain name.
Where an email address or domain name has been taken over by someone else, then sending the results to the email address instead of currently showing it on the webpage doesnt solve the problem. This data set is ripe for blackmailers, intelligence services and any company looking for intelligence on rival businesses.
...if the password for said email address is already visible on the same page (assuming negligent password reuse) what kind of verification could you hope for?
I understand HIBP derives its value from grey-ish hats sharing with Troy any leaked dataset they find because they know him or because of his reputation.
If he leaves, it is not clear to me that his trust and reputation will stay behind with the company running HIBP. The minute HIBP ceases to be the central place for these new datasets to be shared, it ceases to be of any practical use.