Massive databases of user accounts seem to get hacked daily. The number of exposed accounts and passwords—usually encrypted weakly—has risen into the billions. Yet liability and embarrassment have left companies loathe to quickly disclose that they’ve been hacked.
That appears to be changing, in part due to new laws in effect or about to be in the European Union and some U.S. states, including California, that impose penalties on delays in notification.
But it’s also due to one Australian man’s accidental rise to the top of the account disclosure hack ecosystem. Troy Hunt’s Have I Been Pwned has data from over 305 breaches and 77,000 selective dumps (called “pastes”) that total over 5.3 billion account records.
At Hunt’s site, visitors can type in their email address to see if their info is part of any breach. But over 2o million people subscribe to his free email notification service. They get breach alerts that are often timed to the disclosure by a company that’s been hacked—or, when companies refuse to acknowledge Hunt’s efforts at ethical advance notice, before official words of a breach comes down at all.
Whenever Hunt adds details from another of the inevitable cavalcade of breaches from public and private sites, subscribers get email. The number of accounts involved range from tens of thousands to hundreds of millions. “Just in the last few days, people have sent me dozens of breaches,” Hunt says.
He also has a cache of over half a billion passwords in plain text that have been revealed at some point from break-ins. Via automated requests, he feeds about 8 million responses daily to services that check whether a given password has ever appeared in any breach—and he does this cleverly, so his service doesn’t need to receive people’s passwords, even briefly, to perform the checking.
Have I Been Pwned’s name riffs on “pwned,” a term from 2000s-era youth culture that loosely means someone has dominated you, or “owned” you, in a videogame—or by hijacking some digital possession of yours. It’s now used routinely in the world of those who exploit system weakness for good or ill as a term of art.
Based in Gold Coast, Queensland, not far from Brisbane, Hunt works full-time for himself as a security consultant, speaker, and trainer. Have I Been Pwned takes up about 20% of his time, he says, often in the form of work on evenings, weekends, and holidays. It’s a solo effort, and he’s kept costs low by using cloud services and through constant efforts to improve efficiency.
Hunt’s site feels like a throwback to the early, idealistic days of the public internet. He says that his objective has always been, “how do we make good things happen after bad things happen?” He simply created something useful to fill a void that nobody with deeper pockets had addressed.
Unethical behavior, ethical response
Hunt was motivated to create Have I Been Pwned in 2013 as his response to growing concerns that breaches—such as that year’s leak of 150 million Adobe accounts—would result in a rash of exploitation. “I was seeing a huge prevalence of data breaches with accounts in them where I thought, on the one hand, people probably don’t know about this [breach] and they really should,” Hunt says. “On the other hand, I was finding quantifiable evidence of some of the things we know about the way in which people manage their online security.”
Multiple breaches confirmed that many people really do use a single password across multiple services. (A 2013 study by U.K. regulator Ofcom had found 55% of people used the same password for all their accounts, and a quarter used a birthdays or names.) Reusing passwords—even difficult-to-guess ones—is problematic, of course, because someone who’s obtained your password for one account can then try the same email and password combination at any other site they choose. They can even use automated tools to try to log in to thousands of sites.
Back in 2013, when Hunt was formulating his plans, the use of two-factor authentication—which is designed to foil interlopers even if they have your password—was much rarer. But even some sites with two-factor authentication will let you bypass it by requesting a password reset via email, possibly using an email account with a password that has itself been breached.
It’s one thing to tediously crack passwords one at a time, using social engineering, keystroke loggers, and other methods. It’s another to gain access to an account database, especially one that gets leaked publicly. With the method commonly used to encrypt passwords a few years ago—and still in unfortunately wide use today—crackers can use precomputed databases of encrypted versions of the most common passwords and instantly match them. This typically unlocks a huge percentage of account passwords, because people largely use simple passwords or ones that follow easy-to-anticipate patterns.
On top of that, with typical password encryption, if 100,000 people on a site use the same password, an intrepid identity thief instantly gains 100,000 account/password combinations they can try elsewere.
For years, developers have had access to far stronger tools that make every password’s encrypted version unique, and that require vastly more computation to crack each password. These readily available options aren’t widely deployed, though, as is made clear with every new breach.
Users can minimize their exposure by creating unique passwords for each site using password managers, some of which are now built into operating systems and browsers. But many don’t take advantage of these tools. Even people who listen to conventional wisdom about creating strong passwords may be following advice that is completely wrong and has been for years. And many of us have old accounts for which we haven’t changed passwords in many years, even if we now have the unique password religion.
Hunt reasoned that one way to help deter the extent of this problem was to build a site in which people could check whether their email address matched any publicly released breaches. Data from many major breaches is publicly available—sometimes because bad guys have intentionally released it to cause havoc. (In most of these dumps, the passwords were encrypted, but so weakly that it didn’t take much expertise to determine them via brute-force cracking.) He later added a service that lets visitors sign up to receive a message if their address appeared in any breach he subsequently added.
While anyone can type in an email address and see which breaches include it, Hunt marks some data leaks as sensitive, like that of the infidelity-encouraging Ashley Madison dating site. In these cases, to prevent anyone from using Have I Been Pwned to check on someone else’s online activity, matches are only sent via email to the addresses in question and don’t appear in the public site search.
Have I Been Pwned also doesn’t provide any linkage between email addresses and passwords. If someone emails Hunt to ask what password is associated with an account, his reply is, “It’s the one you put in there.”
Hunt’s careful stewardship of the data he’s collected stands in contrast to free and paid sites that provide access to full exposed records, marking a sharp delineation between information largely useful only to the party searching for their address and details that could allow identity theft and account hijacking. For instance, the site LeakedSource.com charged a fee to gain access to full details—including passwords it decrypted—all without verifying identity. Law enforcement seized its servers in January 2017 and Canadian authorities charged one man in January 2018 with trafficking in identity information among other alleged crimes. Hunt never planned to do anything like this, but staying as far away from the idea as possible proved prudent.
Doing the right thing
Have I Been Pwned’s high profile and Hunt’s methodical approach to disclosure makes his work a time sink. People routinely send him information about breaches they find, sometimes involving tiny numbers of people in, say, a private medical practice. Hunt says that such information comes from both “black hats” who want to show off their hacking prowess to him and “white hats” who want to do the right thing. Both groups are worried about how to handle the niceties of such disclosures themselves without potentially landing in hot water.
He doesn’t want to add any breach to his site before he’s made sure the affected group knows about it. Some don’t reply, especially small organizations. He’s had some bellicose responses, too, as when he couldn’t raise an alarm at a fan-fiction site and notified its users before the site’s administrators took action. Hunt says the site’s operators denied a breach, froze discussion threads, and cast aspersions on his legitimacy.
That sort of response does wear him down. “Not this again,” he thinks to himself. “I’ve got to go through this pain.”
However, he’s been buoyed by a change happening among larger firms, partly due to what he describes as a change in user attitudes. “The shift that I’ve seen in consumer sentiment towards breaches, especially in the last year, has shifted from ‘these guys suck, because they had a data breach’ to ‘ah, data breaches suck, [but] they only suck if they handle it badly,'” he says.
According to Hunt, companies also now seem more ready to acknowledge the problem and contact registered users immediately. Some firms appear to be tracking email addresses released in other breaches, and warn users of their service about the potential of a reused password, or preemptively reset the user account password just in case.
Data-privacy laws have put some teeth into the legal side, which should cause companies’ legal counsels and even boards of directors to push for better security and disclosure. The European Union’s General Data Protection Regulation calls for severe penalties for the worst offenses. California’s new Consumer Privacy Act, which takes effect on January 1, 2020, is weaker than the GDPR, but still has teeth and can impose significant fines for misleading or negligent behavior. Alabama and North Dakota passed data-breach laws in the wake of 2017’s Equifax breach of nearly 150 million consumer records. These and other rules favor companies that disclose promptly and fully; delays and other shenanigans bring on heavy fines.
Hunt notes with strong approval that discussion platform Disqus and image host Imgur both made full disclosures within 24 hours of him contacting them. He says both firms forthrightly explained the breaches to their users, detailed what they did in response, and offered apologies.
Paying the bills
For something that’s so useful to so many people, Have I Been Pwned is remarkably economical to run. In June 2018, Hunt tweeted about his expenses in a way that sounded, fleetingly, as if the site was weighing him down financially. And he did once spend in the low hundreds of dollars per month on the necessary web services. But his big reveal was that in June, he’d gotten that cost down to about a buck a day. Since then, he’s made more tweaks, and the necessary Microsoft Azure cloud services now cost him roughly 2.6¢ a day.
A few supporters help subsidize Have I Been Pwned in modest ways. Cloudflare gives him complimentary access to its content-distribution and attack-mitigation services, but Hunt says his costs would be roughly a dollar a day if he paid for them. He also receives some assistance for his outgoing email, which helps given that his site sends out hundreds of thousands of emails a month.
As a one-man, part-time band, Have I Been Pwned has served Hunt well beyond any direct financial compensation. What he’s learned from building a service that has had to scale translates directly into his money-making consulting and training practice. But he’s also taken on a few revenue streams to offset his hard costs and as recompense for the many hundreds of hours he’s poured into the service over five years.
Anyone can use his password-checking operation for free, and even download the full version of the Have I Been Pwned database. However, Hunt also offers a fee-based service for companies that want consistent, high-volume access to perform live queries. Customers include Eve Online, MyLife, and AgileBits (the maker of the 1Password password manager, which also has a paid sponsorship deal with Hunt), as well as some unnamed security firms. This commercial endeavor serves a greater purposes by helping these companies keep users from using passwords already out in the wild.
A higher profile
In November 2017, Hunt came to Washington, D.C., invited to testify in front of the U.S. House Energy and Commerce Committee about data breaches, their impact, and potential mitigations. He noted to the committee that the combined impact of data breaches was eroding the sense of our personal details being private enough to work to validate a login or our identity. He also expressed a desire for improved education, because most breaches arose from misconfiguration. In the Equifax case, for instance, the company’s series of bad decisions about security were only laid bare because one public-facing computer had an outdated software patch on it.
This testimony reflected how far Hunt’s efforts have come. But as a one-man company, he’s aware that he’s a sole point of failure. While he’s thought about hiring staff, he notes, “I can’t delegate my credibility.”
Hunt’s primary concern isn’t time, but liability. He worries that sharing more information from breaches with users could open him up to risk that he can’t bear, but which would be well within the abilities of a larger company with a staff of engineers, security architects, and lawyers. That’s led him to consider selling his service. But it has to be the right company, and, for now, he hasn’t found such a firm and it hasn’t found him.
For the foreseeable future, Hunt’s solo operation down under will continue to be indispensable. Have I Been Pwned’s millions of subscribers testify to its importance on today’s leaky internet. And the sad part is that it will only become more popular over time.