The future of Have I Been Pwned

Security researcher Troy Hunt has published a blog post about the future of his “Have I Been Pwned” data breach directory.

Have I Been Pwned is an invaluable platform for the security-conscious, allowing visitors to check their email against a massive collection of historical data breaches to determine if their login credentials have ever been compromised.

The website collates information on breaches and pastes from various sources, with its collection of data comprising almost eight billion pwned accounts across 366 websites.

Hunt first started Have I Been Pwned in 2013 with the aim of raising awareness around the prevalence of data breaches, and the platform has since grown to include some of the biggest data breaches in the world.

The Master Deeds database leak was uncovered by Hunt back in 2017, in which “tens of millions” of South African identities were exposed to attackers due to a vulnerability in a government database.

At the time, Hunt said this leak was one of the worst he had ever seen, as it included personal information such as ID numbers, email addresses, physical addresses, birth dates, and more.

This was not the only South African leak covered by the Have I Been Pwned platform, with the eThekwini municipality, Ster-Kinekor, and ViewFines breaches also being added to the directory as they were discovered.

Growing up

Hunt said that while he has single-handedly built and managed Have I Been Pwned to date, it is now time for the website to grow up.

With nearly three million people subscribed to data breach notifications and millions of hits to the web pages and the platforms through API requests, Have I Been Pwned has grown beyond the capabilities of a single person to manage, he said.

“To date, every line of code, every configuration and every breached record has been handled by me alone. There is no ‘HIBP team’, there’s one guy keeping the whole thing afloat.”

Hunt said the growing number of users and the reliance of corporate entities on the Have I Been Pwned database has made it stressful to run the service, and he subsequently scaled back his social media interaction and has begun engaging with potential buyers for the platform.

After meeting with KPMG’s mergers and acquisitions team, Hunt decided to put up the service for potential acquisition, a move he codenamed Project Svalbard after a region in Norway which houses the Global Seed Vault.

Hunt said that he is carefully looking at interested organisations to determine which will help him to achieve his vision for the future of the service.

The future

Hunt admitted that he does not necessarily know how an acquisition would affect Have I Been Pwned, but did stress the following points:

  • Freely-available consumer searches should remain freely-available.
  • Hunt will remain a part of Have I Been Pwned.
  • The capabilities of the platform will be built out extensively.
  • It will aim to reach a much larger audience.
  • It will focus more on changing consumer behaviour.
  • It will offer more to organisations and businesses.
  • It will aim to deliver more disclosure and more data.

“In considering which organisations are best positioned to help me achieve this, there’s a solid selection that are at the front of my mind,” Hunt said.

“There’s also a bunch that I have enormous respect for but are less well-equipped to help me achieve this.”

Hunt said he would be working closely with KPMG on Project Svalbard, and he is already in early discussions with organisations who are interested in acquiring Have I Been Pwned.

Now read: What you should study to become a hacker in South Africa

Latest news

Partner Content

Show comments


Share this article
The future of Have I Been Pwned