serisec

Category: Have I Been Pwned

  • Welcoming the Bhutanese Government to Have I Been Pwned

    Welcoming the Bhutanese Government to Have I Been Pwned Today, we welcome the 45th government onboarded to Have I Been Pwned’s free gov service: Bhutan. The Bhutan Computer Incident Response Team, BtCIRT, now has access to monitor Bhutanese government domains against the data in HIBP. As Bhutan’s national CIRT, BtCIRT is responsible for consuming threat…

  • Welcoming the Bahamian Government to Have I Been Pwned

    Welcoming the Bahamian Government to Have I Been Pwned Today, we welcome the 44th government onboarded to Have I Been Pwned’s free gov service: The Bahamas. The National Computer Incident Response Team of The Bahamas, CIRT-BS, now has access to monitor government domains against the data in HIBP. As the national CIRT, CIRT-BS is responsible…

  • Welcoming the Bangladesh Government to Have I Been Pwned

    Welcoming the Bangladesh Government to Have I Been Pwned Today, we welcome the 43rd government onboarded to Have I Been Pwned’s free gov service, Bangladesh. The BGD e-GOV CIRT department now has full access to query all their government domains via API, and monitor them against future breaches. Bangladesh joins a growing list of national…

  • Welcoming the Costa Rican Government to Have I Been Pwned

    Welcoming the Costa Rican Government to Have I Been Pwned Today, we welcome the 42nd government onboarded to Have I Been Pwned’s free gov service: Costa Rica. The CSIRT of the Government of Costa Rica now has access to monitor government domains against the data in HIBP. This enables their national cybersecurity incident response team…

  • Here’s What Agentic AI Can Do With Have I Been Pwned’s APIs

    Here’s What Agentic AI Can Do With Have I Been Pwned’s APIs I love cutting-edge tech, but I hate hyperbole, so I find AI to be a real paradox. Somewhere in that whole mess of overnight influencers, disinformation and ludicrous claims is some real “gold” – AI stuff that’s genuinely useful and makes a meaningful…

  • HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

    HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API For a hobby project built in my spare time to provide a simple community service, Have I Been Pwned sure has, well, “escalated”. Today, we support hundreds of thousands of website visitors each day, tens of millions of API queries,…

  • Who Decides Who Doesn’t Deserve Privacy?

    Who Decides Who Doesn’t Deserve Privacy? Remember the Ashley Madison data breach? That was now more than a decade ago, yet it arguably remains the single most noteworthy data breach of all time. There are many reasons for this accolade, but chief among them is that by virtue of the site being expressly designed to…

  • Processing 630 Million More Pwned Passwords, Courtesy of the FBI

    Processing 630 Million More Pwned Passwords, Courtesy of the FBI The sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day. It’s not just the volume of data, but also the extent to which it replicates across criminal actors seeking to abuse it for their own gain,…

  • Why Does Have I Been Pwned Contain “Fake” Email Addresses?

    Why Does Have I Been Pwned Contain “Fake” Email Addresses? Normally, when someone sends feedback like this, I ignore it, but it happens often enough that it deserves an explainer, because the answer is really, really simple. So simple, in fact, that it should be evident to the likes of Bruce, who decided his misunderstanding…

  • 2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned

    2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned I hate hyperbolic news headlines about data breaches, but for the “2 Billion Email Addresses” headline to be hyperbolic, it’d need to be exaggerated or overstated – and it isn’t. It’s rounded up from the more precise number of…

  • Inside the Synthient Threat Data

    Inside the Synthient Threat Data Where is your data on the internet? I mean, outside the places you’ve consciously provided it, where has it now flowed to and is being used and abused in ways you’ve never expected? The truth is that once the bad guys have your data, it often replicates over and over…

  • Court Injunctions are the Thoughts and Prayers of Data Breach Response

    Court Injunctions are the Thoughts and Prayers of Data Breach Response You see it all the time after a tragedy occurs somewhere, and people flock to offer their sympathies via the “thoughts and prayers” line. Sympathy is great, and we should all express that sentiment appropriately. The criticism, however, is that the line is often…

  • Welcoming CERN to Have I Been Pwned

    Welcoming CERN to Have I Been Pwned It’s hard to explain the significance of CERN. It’s the birthplace of the World Wide Web and the home of the largest machine ever built, the Large Hadron Collider. The bit that’s hard to explain is, well, I mean, look at it! Charlotte and I visited CERN in…

  • HIBP Demo: Querying the API, and the Free Test Key!

    HIBP Demo: Querying the API, and the Free Test Key! One of the most common use cases for HIBP’s API is querying by email address, and we support hundreds of millions of searches against this endpoint every month. Loads of organisations use this service to understand the exposure of their customers and provide them with…

  • Have I Been Pwned Demos Are Now Live!

    Have I Been Pwned Demos Are Now Live! Well, one of them is, but what’s important is that we now have a platform on which we can start pushing out a lot more. It’s not that HIBP is a particularly complex system that needs explaining in any depth, but we still get a lot of…

  • Get Pwned, Get Local Advice From a Trusted Gov Source

    Get Pwned, Get Local Advice From a Trusted Gov Source We were recently travelling to faraway lands, doing meet and greets with gov partners, when one of them posed an interesting idea: What if people from our part of the world could see a link through to our local resource on data breaches provided by…

  • Welcoming Guardio to Have I Been Pwned’s Partner Program

    Welcoming Guardio to Have I Been Pwned’s Partner Program I’m often asked if cyber criminals are getting better at impersonating legitimate organisations in order to sneak their phishing attacks through. Yes, they absolutely are, but I also argue that the inverse is true too: legitimate organisations frequently communicate in ways that are indistinguishable from a…

  • Good Riddance Teespring, Hello Fourthwall

    Good Riddance Teespring, Hello Fourthwall If I’m honest, I was never that keen on a merch store for Have I Been Pwned. It doesn’t make the code run faster, nor does it load any more data breaches or add any useful features to the service whatsoever. But… people were keen. They wanted swag they could…

  • Welcoming Aura to Have I Been Pwned’s Partner Program

    Welcoming Aura to Have I Been Pwned’s Partner Program One of the greatest fears we all have in the wake of a data breach is having our identity stolen. Nefarious parties gather our personal information exposed in the breach, approach financial institutions and then impersonate us to do stuff like this: So I recently somewhat…

  • Welcoming Push Security to Have I Been Pwned’s Partner Program

    Welcoming Push Security to Have I Been Pwned’s Partner Program As we gradually roll out HIBP’s Partner Program, we’re aiming to deliver targeted solutions that bridge the gap between being at risk and being protected. HIBP is the perfect place to bring these solutions to the forefront, as it’s often the point at which individuals…

  • Welcoming Truyu to Have I Been Pwned’s Partner Program

    Welcoming Truyu to Have I Been Pwned’s Partner Program I always used to joke that when people used Have I Been Pwned (HIBP), we effectively said “Oh no – you’ve been pwned! Uh, good luck!” and left it at that. That was fine when it was a pet project used by people who live in…

  • Have I Been Pwned 2.0 is Now Live!

    Have I Been Pwned 2.0 is Now Live! This has been a very long time coming, but finally, after a marathon effort, the brand new Have I Been Pwned website is now live! Feb last year is when I made the first commit to the public repo for the rebranded service, and we soft-launched the…

  • After the Breach: Finding new Partners with Solutions for Have I Been Pwned Users

    After the Breach: Finding new Partners with Solutions for Have I Been Pwned Users For many years, people would come to Have I Been Pwned (HIBP), run a search on their email address, get the big red “Oh no – pwned!” response and then… I’m not sure. We really didn’t have much guidance until we…

  • The Have I Been Pwned Alpine Grand Tour

    The Have I Been Pwned Alpine Grand Tour I love a good road trip. Always have, but particularly during COVID when international options were somewhat limited, one road trip ended up, well, “extensive”. I also love the recent trips Charlotte and I have taken to spend time with many of the great agencies we’ve worked…

  • Welcoming The Gambia National CSIRT to Have I Been Pwned

    Welcoming The Gambia National CSIRT to Have I Been Pwned Today, we’re happy to welcome the Gambia National CSIRT to Have I Been Pwned as the 38th government to be onboarded with full and free access to their government domains. We’ve been offering this service for seven years now, and it enables national CSIRTs to…

  • Soft-Launching and Open Sourcing the Have I Been Pwned Rebrand

    Soft-Launching and Open Sourcing the Have I Been Pwned Rebrand Designing the first logo for Have I Been Pwned was easy: I took a SQL injection pattern, wrote “have i been pwned?” after it and then, just to give it a touch of class, put a rectangle with rounded corners around it: Job done! I…

  • We’re Backfilling and Cleaning Stealer Logs in Have I Been Pwned

    We’re Backfilling and Cleaning Stealer Logs in Have I Been Pwned I think I’ve finally caught my breath after dealing with those 23 billion rows of stealer logs last week. That was a bit intense, as is usually the way after any large incident goes into HIBP. But the confusing nature of stealer logs coupled…

  • Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs

    Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs I like to start long blog posts with a tl;dr, so here it is: We’ve ingested a corpus of 1.5TB worth of stealer logs known as “ALIEN TXTBASE” into Have I Been Pwned. They contain 23 billion rows with 493 million unique website and email address…

  • Experimenting with Stealer Logs in Have I Been Pwned

    Experimenting with Stealer Logs in Have I Been Pwned TL;DR — Email addresses in stealer logs can now be queried in HIBP to discover which websites they’ve had credentials exposed against. Individuals can see this by verifying their address using the notification service and organisations monitoring domains can pull a list back via a new API.…

  • “Pwned”, The Book, Is Now Available for Free

    “Pwned”, The Book, Is Now Available for Free Nearly four years ago now, I set out to write a book with Charlotte and RobIt was the stories behind the stories, the things that drove me to write my most important blog posts, and then the things that happened afterwards. It’s almost like a collection of…

  • Closer to the Edge: Hyperscaling Have I Been Pwned with Cloudflare Workers and Caching

    Closer to the Edge: Hyperscaling Have I Been Pwned with Cloudflare Workers and Caching I’ve spent more than a decade now writing about how to make Have I Been Pwned (HIBP) fast. Really fast. Fast to the extent that sometimes, it was even too fast: The response from each search was coming back so quickly…

  • Inside the DemandScience by Pure Incubation Data Breach

    Inside the DemandScience by Pure Incubation Data Breach Apparently, before a child reaches the age of 13, advertisers will have gathered more 72 million data points on them. I knew I’d seen a metric about this sometime recently, so I went looking for “7,000”, which perfectly illustrates how unaware we are of the extent of…