serisec

Category: troyhunttroyhunt

  • Welcoming the Philippine Government to Have I Been Pwned

    Welcoming the Philippine Government to Have I Been Pwned Today, we welcome the 46th government onboarded to Have I Been Pwned’s free gov service: the Philippines. The Philippines’ National CERT, working with the Department of Information and Communications Technology, now has access to monitor official government domains against the data in HIBP. This gives their…

  • 1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever

    1,000 Data Breaches Later, the Disclosure Lag is Worse Than Ever Today, I loaded the 1,000th data breach into Have I Been Pwned. Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering…

  • Weekly Update 506

    Weekly Update 506 I’m finding it quite fascinating to watch the current spate of ShinyHunters breaches and dumps. There’s the obvious criminality of it all, but then there’s also the response from organisations (or lack thereof, as it relates to disclosure to victims), the appearance and disappearance of victims on their dark web site, the…

  • Welcoming the Bhutanese Government to Have I Been Pwned

    Welcoming the Bhutanese Government to Have I Been Pwned Today, we welcome the 45th government onboarded to Have I Been Pwned’s free gov service: Bhutan. The Bhutan Computer Incident Response Team, BtCIRT, now has access to monitor Bhutanese government domains against the data in HIBP. As Bhutan’s national CIRT, BtCIRT is responsible for consuming threat…

  • Weekly Update 505

    Weekly Update 505 Well, that didn’t last long! Recording this on Saturday morning my time, I observed ShinyHunters having gone quiet since the massive haul that would have been the Instructure ransom. It was two weeks almost to the hour since I’d first heard rumour of payment being made, and I posited that groups like…

  • Weekly Update 504

    Weekly Update 504 It’s a hot topic, the old “pay or don’t pay” for hackers not to leak your data. Since recording this a few days ago, we’ve had Grafana go with the “no pay” approach, and I’ve seen a raft of commentary around other companies reaching “agreements”, which is a much politer way of…

  • Welcoming the Bahamian Government to Have I Been Pwned

    Welcoming the Bahamian Government to Have I Been Pwned Today, we welcome the 44th government onboarded to Have I Been Pwned’s free gov service: The Bahamas. The National Computer Incident Response Team of The Bahamas, CIRT-BS, now has access to monitor government domains against the data in HIBP. As the national CIRT, CIRT-BS is responsible…

  • Welcoming the Bangladesh Government to Have I Been Pwned

    Welcoming the Bangladesh Government to Have I Been Pwned Today, we welcome the 43rd government onboarded to Have I Been Pwned’s free gov service, Bangladesh. The BGD e-GOV CIRT department now has full access to query all their government domains via API, and monitor them against future breaches. Bangladesh joins a growing list of national…

  • Welcoming the Costa Rican Government to Have I Been Pwned

    Welcoming the Costa Rican Government to Have I Been Pwned Today, we welcome the 42nd government onboarded to Have I Been Pwned’s free gov service: Costa Rica. The CSIRT of the Government of Costa Rica now has access to monitor government domains against the data in HIBP. This enables their national cybersecurity incident response team…

  • Weekly Update 503

    Weekly Update 503 Well, it’s the day before the Instructure “pay or leak” deadline (at least by my Aussie watch), and the company remains removed from the ShinyHunters website. In its place sits a press statement that amounts to “we’re not making any statements”. So did they pay? And if so, what lofty figure would…

  • Weekly Update 502

    Weekly Update 502 It’s a fascinating display of leverage: the ShinyHunters folks, with very limited resources and experience (their demographic will be teenagers to their early 20s), consistently gaining access to the data of massive brands. Not through technical ingenuity alone (although I’m sure there’s a portion of that), but primarily through good ol’ social…

  • Weekly Update 501

    Weekly Update 501 This is so “peak 2026” – writing an equality policy to ensure people treat our AI bot with the same respect as they do their human counterparts. It’s intentionally a bit tongue-in-cheek, but it’s there for a purpose: we simply don’t have the capacity to deal with every request we get, and…

  • Weekly Update 500

    Weekly Update 500 Looking back at this milestone video, it’s the audience question towards the end I liked most: “are you happy”? Charlotte and I have chosen a path that’s non-traditional, intense and at times, pretty stressful. There’s no clear delineation of when work starts and ends, no holidays where we don’t work, nor weekends,…

  • Here’s What Agentic AI Can Do With Have I Been Pwned’s APIs

    Here’s What Agentic AI Can Do With Have I Been Pwned’s APIs I love cutting-edge tech, but I hate hyperbole, so I find AI to be a real paradox. Somewhere in that whole mess of overnight influencers, disinformation and ludicrous claims is some real “gold” – AI stuff that’s genuinely useful and makes a meaningful…

  • Weekly Update 499

    Weekly Update 499 I’m starting to become pretty fond of Bruce. Actually, I’ve had a bit of an epiphany: an AI assistant like Bruce isn’t just about auto-responding to tickets in an entirely autonomous manner; it’s also pretty awesome at responding with just a little bit of human assistance. Charlotte and I both replied to…

  • Weekly Update 498

    Weekly Update 498 This week, more time than I’d have liked to spend went on talking about the trials of chasing invoices. This is off the back of a customer (who, for now, will remain unnamed), who had invoices stacking back more than 6 months overdue and despite payment terms of 30 days, paid on…

  • Weekly Update 497

    Weekly Update 497 Day by day, I find we’re eeking more goodness out of OpenClaw and finding the sweet spot between what the humans do well and the agent can run off and do on its own. Significantly, we’re shifting more and more of the workload to the latter as all 3 of us at…

  • HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

    HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API For a hobby project built in my spare time to provide a simple community service, Have I Been Pwned sure has, well, “escalated”. Today, we support hundreds of thousands of website visitors each day, tens of millions of API queries,…

  • Weekly Update 496

    Weekly Update 496 Watching OpenClaw do its thing must be like watching the first plane take flight. It’s a bit rickety and stuck together with a lot of sticky tape, but squint and you can see the potential for agentic AI to change the world as we know it. And I don’t think that’s hyperbolic.…

  • Weekly Update 495

    Weekly Update 495 In the beginning, it was simple. A website, a database and 150M+ email addresses to search. Time has added serverless functions (which run on servers 🤷‍♂️), code on the edge, new data storage constructs and a completely different mechanism for even just querying a simple email address. HIBP is a continually evolving…

  • Weekly Update 494

    Weekly Update 494 Since starting HIBP a dozen and a bit years ago, I’ve loaded an average of one breach every 4.7 days. That’s 959 of them to date, but last week it was five in only two days. That’s a few weeks’ worth of breaches in only 48 and a half hours. And that’s…

  • Weekly Update 493

    Weekly Update 493 The Odido breach leaks were towards the beginning during this week’s update. I recorded it the day after the second dump of data had hit, with a third dump coming a few hours later, and a final dump of everything the day after that. From what I hear, it dominated the news…

  • Weekly Update 492

    Weekly Update 492 The recurring theme this week seems to be around the gap between breaches happening and individual victims finding out about them. It’s tempting to blame this on the corporate victim of the breach (the hacked company), but they’re simultaneously dealing with a criminal intrusion, a ransom demand, and class-action lawyers knocking down…

  • Weekly Update 491

    Weekly Update 491 Well, the ESP32 Bluetooth bridge experiment was a complete failure. Not the radios themselves, they’re actually pretty cool, but there’s just no way I could get the Yale locks to be reliably operated by them. At a guess, BLE is a bit too passive to detect state changes, and unless it was…

  • Weekly Update 490

    Weekly Update 490 A big “thank you” to everyone who helped me troubleshoot the problem with my “Print Screen” button on the new PC. Try as we all might, none of us could figure out why it refused to bind to SnagIt and instead insisted on dumping the entire collection of screens to a file…

  • Weekly Update 489

    Weekly Update 489 This week I’m in Hong Kong, and the day after recording, I gave the talk shown in the image above at INTERPOL’s Cybercrime Expert Group. I posted a little about this on Facebook and LinkedIn, but thought I’d expand on what really stuck with me after watching other speakers: the effort agencies…

  • Weekly Update 488

    Weekly Update 488 It’s the discussion about the reaction of some people in the UK regarding their impending social media ban for under 16s that bugged me most. Most noteably was the hand-waving around “the gov is just trying to siphon up all our IDs” and “this means everyone will have to show ID, not…

  • Weekly Update 487

    Weekly Update 487 I thought Scott would cop it first when he posted about what his solar system really cost him last year. “You’re so gonna get that stupid AI-slop response from some people”, I joked. But no, he got other stupid responses instead! And I got the AI-slop responses! Draw your own conclusions on…

  • Weekly Update 486

    Weekly Update 486 I’m in Oslo! Flighty is telling me I’ve flown in or out of here 43 times since a visit in 2014 set me on a new path professionally and, many years later, personally. It’s special here, like a second home that just feels… right. This week, the business end of things is…

  • Who Decides Who Doesn’t Deserve Privacy?

    Who Decides Who Doesn’t Deserve Privacy? Remember the Ashley Madison data breach? That was now more than a decade ago, yet it arguably remains the single most noteworthy data breach of all time. There are many reasons for this accolade, but chief among them is that by virtue of the site being expressly designed to…

  • Weekly Update 485

    Weekly Update 485 15 mins and 40 seconds. That’s how long it took to troubleshoot the first tech problem of 2026, and that’s how far you’ll need to skip through this video to hear the audio at normal volume. The problem Scott and I had is analogous to the troubleshooting so many of us do…

  • Weekly Update 484

    Weekly Update 484 I think the start of this week’s video really nailed it for the techies amongst us: shit doesn’t work, you change something random and now shit works and yu have no idea why 🤷‍♂️ Such was my audio this week and apoligise to those of you watching the video below for the…

  • Weekly Update 483

    Weekly Update 483 Building out an IoT environment is a little like the old Maslow’s Hierarchy of Needs. All the stuff on the top is only any good if all the stuff on the bottom is good, starting with power. This week, I couldn’t even get that right, but thankfully, sparky to rescue and ensuite…

  • Weekly Update 482

    Weekly Update 482 Perhaps it’s just the time of year where we all start to wind down a bit, or maybe I’m just tired after another massive 12 months, but this week’s vid is way late. Ok, going away to the place that had just been breached (ironic!) didn’t help, but I think in general…

  • Processing 630 Million More Pwned Passwords, Courtesy of the FBI

    Processing 630 Million More Pwned Passwords, Courtesy of the FBI The sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day. It’s not just the volume of data, but also the extent to which it replicates across criminal actors seeking to abuse it for their own gain,…

  • Weekly Update 481

    Weekly Update 481 Twelve years (and one day) since launching Have I Been Pwned, it’s now a service that Charlotte and I live and breathe every day. From the first thing every morning to the last thing each day, from holidays to birthdays, in sickness and in heal… wait a minute – did we marry…

  • Why Does Have I Been Pwned Contain “Fake” Email Addresses?

    Why Does Have I Been Pwned Contain “Fake” Email Addresses? Normally, when someone sends feedback like this, I ignore it, but it happens often enough that it deserves an explainer, because the answer is really, really simple. So simple, in fact, that it should be evident to the likes of Bruce, who decided his misunderstanding…

  • Weekly Update 480

    Weekly Update 480 Well, I now have the answer to how Snapchat does age verification for under-16s: they give an underage kid the ability to change their date of birth, then do a facial scan to verify. The facial scan (a third party tells me…) allows someone well under 16 to pass it easily. So,…

  • Weekly Update 479

    Weekly Update 479 I gave up on the IoT water meter reader. Being technical and thinking you can solve everything with technology is both a blessing and a curse; dogged persistence has given me the life I have today, but it has also burned serious amounts of time because I never want to let a…

  • Weekly Update 478

    Weekly Update 478 This week, it was an absolute privilege to be at Europol in The Hague, speaking about cyber offenders and at the InterCOP conference and spending time with some of the folks involved in the Operation Endgame actions. The latter in particular gave me a new sense of just how much coordination is…

  • Weekly Update 477

    Weekly Update 477 What. A. Week. It wasn’t just the preceding weeks of technical pain as we tried to work out how to get this data loaded, it was all the subsequent queries we had to deal with too. Some of them are totally understandable, whilst others just resulted in endless facepalms 🤦‍♂️ But we…

  • 2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned

    2 Billion Email Addresses Were Exposed, and We Indexed Them All in Have I Been Pwned I hate hyperbolic news headlines about data breaches, but for the “2 Billion Email Addresses” headline to be hyperbolic, it’d need to be exaggerated or overstated – and it isn’t. It’s rounded up from the more precise number of…

  • Weekly Update 476

    Weekly Update 476 The 2 billion email address stealer log breach I talk about this week is almost ready to go at the time of writing. It’s been massively time-consuming, massively expensive (we turned the cloud up to 11) and enormously frustrating. I’ve written about why in the draft blog post, but once you get…

  • How We (Almost) Found Chromium’s Bug via Crash Reports to Report URI

    How We (Almost) Found Chromium’s Bug via Crash Reports to Report URI Tracking down bugs in software is a pain that all of us who write code must bear. When we’re talking about outright errors in a web page, you typically have something to get you started (such as output in the console), but that…

  • Weekly Update 475

    Weekly Update 475 It was the Synthient threat data that ate most of my time this week, and it continues to do so now, the weekend after recording this video. Data like this is equal parts enormously damaging to victims and frustratingly noisy to process. I have to be confident enough that it’s new enough,…

  • Inside the Synthient Threat Data

    Inside the Synthient Threat Data Where is your data on the internet? I mean, outside the places you’ve consciously provided it, where has it now flowed to and is being used and abused in ways you’ve never expected? The truth is that once the bad guys have your data, it often replicates over and over…

  • Weekly Update 474

    Weekly Update 474 You’re not going to believe this – the criminals that took the Qantas data ignored the injunction 😮 I know, I know, we’re all a bit stunned that making crime illegal hasn’t appeared to stop it, but here we are. Just before the time of writing, I was contacted by someone who…

  • Weekly Update 473

    Weekly Update 473 This week’s video was recorded on Friday morning Aussie time, and as promised, hackers dumped data the following day. Listening back to parts of the video as I write this on a Sunday morning, pretty much what was predicted happened: data was dumped, it included Qantas, and the injunction did nothing to…

  • Court Injunctions are the Thoughts and Prayers of Data Breach Response

    Court Injunctions are the Thoughts and Prayers of Data Breach Response You see it all the time after a tragedy occurs somewhere, and people flock to offer their sympathies via the “thoughts and prayers” line. Sympathy is great, and we should all express that sentiment appropriately. The criticism, however, is that the line is often…

  • Weekly Update 472

    Weekly Update 472 This probably comes through pretty strongly in this week’s video, but I love the vibe at CERN. It’s a place so focused on the common good of science that all the other cultural attributes that often put people at odds these days fade into the distance. That hit me more than it…

  • Welcoming CERN to Have I Been Pwned

    Welcoming CERN to Have I Been Pwned It’s hard to explain the significance of CERN. It’s the birthplace of the World Wide Web and the home of the largest machine ever built, the Large Hadron Collider. The bit that’s hard to explain is, well, I mean, look at it! Charlotte and I visited CERN in…

  • Weekly Update 471

    Weekly Update 471 I’m so happy to finally be getting those HIBP demos out! The first couple are simple, but as I say in this week’s vid, it’s the simple questions we’re still dealing with. As if to taunt me (or prove my point), we got this ticket just a couple of hours ago: I’m…

  • HIBP Demo: Querying the API, and the Free Test Key!

    HIBP Demo: Querying the API, and the Free Test Key! One of the most common use cases for HIBP’s API is querying by email address, and we support hundreds of millions of searches against this endpoint every month. Loads of organisations use this service to understand the exposure of their customers and provide them with…

  • Weekly Update 470

    Weekly Update 470 Imagine jumping on board a class action after your precious datas have been breached, then sticking through it all the way until a settlement is reached. Then, finally, after a long and arduous battle, cashing in and getting… $1. Well, kinda $1, the ParkMobile class action granted up to $1 for successful…

  • Have I Been Pwned Demos Are Now Live!

    Have I Been Pwned Demos Are Now Live! Well, one of them is, but what’s important is that we now have a platform on which we can start pushing out a lot more. It’s not that HIBP is a particularly complex system that needs explaining in any depth, but we still get a lot of…

  • Weekly Update 469

    Weekly Update 469 So I had this idea around training a text-to-speech engine with my voice, then using that to speak over the Sonos at home to announce AI-driven events, such as people ringing the doorbell. A few hours’ worth of video from these weekly updates fed into ElevenLabs and wammo! Here you go: Oh…

  • Weekly Update 468

    Weekly Update 468 I only just realised, as I prepared this accompanying blog post, that I didn’t talk about one of the points in the overview: food. One of my fondest memories as a child living in Singapore and now as an adult visiting there is the food. It’s one of those rare places where…

  • Weekly Update 467

    Weekly Update 467 Using AI to analyse photos and send alerts if I’ve forgotten to take the bins out isn’t going to revolutionise my life, no more so than using it to describe who’s at the mailbox when a letter arrives and at the front door when they buzz. But that’s really not the point;…

  • Home Assistant + Ubiquiti + AI = Home Automation Magic

    Home Assistant + Ubiquiti + AI = Home Automation Magic It seems like every manufacturer of anything electrical that goes in the house wants to be part of the IoT story these days. Further, they all want their own app, which means you have to go to gazillions of bespoke software products to control your…

  • Weekly Update 466

    Weekly Update 466 I’m fascinated by the unwillingness of organisations to name the “third party” to which they’ve attributed a breach. The initial reporting on the Allianz Life incident from last month makes no mention whatsoever of Salesforce, nor does any other statement I can find from them. And that’s very often the way with…

  • Weekly Update 465

    Weekly Update 465 How much tech stuff do I have sitting there in progress, literally just within arm’s reach? I kick off this week’s video going through it, and it’s kinda nuts. Doing runeos and house build doesn’t help, but it means there’s just a constant distraction of “things” commanding my attention. I couldn’t even…

  • That 16 Billion Password Story (AKA “Data Troll”)

    That 16 Billion Password Story (AKA “Data Troll”) Spoiler: I have data from the story in the title of this post, it’s mostly what I expected it to be, I’ve just added it to HIBP where I’ve called it “Data Troll”, and I’m going to give everyone a lot more context below. Here goes: Headlines…

  • Get Pwned, Get Local Advice From a Trusted Gov Source

    Get Pwned, Get Local Advice From a Trusted Gov Source We were recently travelling to faraway lands, doing meet and greets with gov partners, when one of them posed an interesting idea: What if people from our part of the world could see a link through to our local resource on data breaches provided by…

  • Weekly Update 464

    Weekly Update 464 I think the most amusing comment I had during this live stream was one to the effect of expecting me to have all my tech things neat and ordered. As I look around me now, there are Shellys with cables hanging off them all over my desk, the keyboard I’m typing on…

  • Welcoming Guardio to Have I Been Pwned’s Partner Program

    Welcoming Guardio to Have I Been Pwned’s Partner Program I’m often asked if cyber criminals are getting better at impersonating legitimate organisations in order to sneak their phishing attacks through. Yes, they absolutely are, but I also argue that the inverse is true too: legitimate organisations frequently communicate in ways that are indistinguishable from a…

  • Weekly Update 463

    Weekly Update 463 I’ve listened to a few industry podcasts discussing the Tea app breach since recording, and the thing that really struck me was the lack of discussion around the privacy implications of the service before the breach. Here was a tool where people were non-consensually uploading photos of others and leaving fairly intimate…

  • Weekly Update 462

    Weekly Update 462 This will be the title of the blog post: “Court Injunctions are the Thoughts and Prayers of Data Breach Response”. It’s got a nice ring to it, and it resonates so much with the response to other disasters where the term is offered as a platitude that has absolutely no practical benefit…

  • 11 Years of Microsoft Regional Director and 15 Years of MVP

    11 Years of Microsoft Regional Director and 15 Years of MVP I often wonder how much people in other professions genuinely love the industry they’re in to the point that they’d do it regardless of the money. I’m sure there are examples, but I wonder how many lawyers look forward to doing something in the…

  • Good Riddance Teespring, Hello Fourthwall

    Good Riddance Teespring, Hello Fourthwall If I’m honest, I was never that keen on a merch store for Have I Been Pwned. It doesn’t make the code run faster, nor does it load any more data breaches or add any useful features to the service whatsoever. But… people were keen. They wanted swag they could…

  • Weekly Update 461

    Weekly Update 461 The Stripe situation is frustrating: by mandating an email address on all invoices, we’re providing a channel that sends customer queries directly through to us rather than via our support portal, which already has the answers many people are raising tickets for. It’s frustrating because it slows our customers down (they need…

  • Welcoming Aura to Have I Been Pwned’s Partner Program

    Welcoming Aura to Have I Been Pwned’s Partner Program One of the greatest fears we all have in the wake of a data breach is having our identity stolen. Nefarious parties gather our personal information exposed in the breach, approach financial institutions and then impersonate us to do stuff like this: So I recently somewhat…

  • Weekly Update 460

    Weekly Update 460 This week’s update is the last remote one for a while as we wind up more than a month of travel. I’m pushing this out just before we jump on the Qantas plane home… right after they’ve advised just how much of my data was impacted by their breach. That got me…

  • Welcoming Push Security to Have I Been Pwned’s Partner Program

    Welcoming Push Security to Have I Been Pwned’s Partner Program As we gradually roll out HIBP’s Partner Program, we’re aiming to deliver targeted solutions that bridge the gap between being at risk and being protected. HIBP is the perfect place to bring these solutions to the forefront, as it’s often the point at which individuals…

  • Weekly Update 459

    Weekly Update 459 New week, different end of the world! After a fleeting stop at home, we’re in Japan for a proper holiday (yet somehow I’m still here writing this…) with the first stop in Tokyo. It’s like nowhere else here, and this is now probably my 10th trip to Japan over a period of…

  • Welcoming Truyu to Have I Been Pwned’s Partner Program

    Welcoming Truyu to Have I Been Pwned’s Partner Program I always used to joke that when people used Have I Been Pwned (HIBP), we effectively said “Oh no – you’ve been pwned! Uh, good luck!” and left it at that. That was fine when it was a pet project used by people who live in…

  • Weekly Update 458

    Weekly Update 458 I’m in Austria! Well, I was in Austria, I’m now somewhere over the Aussie desert as I try and end this trip on top of my “to-do” list. The Have I Been Pwned Alpine Grand Tour was a great success with loads of time spent with govs, public meetups and users of…

  • Weekly Update 457

    Weekly Update 457 Firstly, apologies for the annoying clipping in the audio. I use a Rode VideoMic that’s a shotgun style that plugs straight into the iPhone and it’s usually pretty solid. It was also solid when I tested it again now, just recording a video into the phone, so I don’t know if this…

  • Weekly Update 456

    Weekly Update 456 It’s time to fly! It’s two months to the day since we came back from the last European trip, again spending the time with some of the agencies and partners we’ve fostered at HIBP over the years. This time, it’s the driving tour I talked about earlier last month, and we have…

  • Weekly Update 455

    Weekly Update 455 The bot-fighting is a non-stop battle. In this week’s video, I discuss how we’re tweaking Cloudflare Turnstile and combining more attributes around how bot-like requests are, and… it almost worked. Just as I was preparing to write this intro, I found a small spike of anomalous traffic that, upon further investigation, should…

  • Weekly Update 454

    Weekly Update 454 We’re two weeks in from the launch of the new HIBP, and I’m still recovering. Like literally still recovering from the cold I had last week and the consequent backlog. A major launch like this isn’t just something you fire and forget; instead, it takes weeks of tweaks and refinements to iron…

  • Weekly Update 453

    Weekly Update 453 Well, the last few weeks of insane hours finally caught up with me 🤒 Not badly, but I evidently burned enough midnight oil to leave the immune system somewhat degraded and just after recording this video, I really didn’t feel like doing much at all. Some congestion and sniffles aside, it’s really…

  • Have I Been Pwned 2.0 is Now Live!

    Have I Been Pwned 2.0 is Now Live! This has been a very long time coming, but finally, after a marathon effort, the brand new Have I Been Pwned website is now live! Feb last year is when I made the first commit to the public repo for the rebranded service, and we soft-launched the…

  • Weekly Update 452

    Weekly Update 452 Funny how excited people can get about something as simple as a sticker. They’re always in hot demand and occupy an increasingly large portion of my luggage as we travel around. Charlotte reckoned it would be the same for other merch too, so, while I’ve been beavering away playing code monkey on…

  • Welcoming the Malaysian Government to Have I Been Pwned

    Welcoming the Malaysian Government to Have I Been Pwned Today, we welcome the 40th government onboarded to Have I Been Pwned’s free gov service, Malaysia. The NC4 NACSA (National Cyber Coordination and Command Centre of the National Cyber Security Agency) in Malaysia now has full access to query all their government domains via API, and…

  • Weekly Update 451

    Weekly Update 451 The Have I Been Pwned Alpine Grand Tour is upon us! I’ve often joked that work is always either sitting at my desk at home in isolation or on the other side of the world, and so it is with this trip. As we’ve done with recent travel to the US and…

  • After the Breach: Finding new Partners with Solutions for Have I Been Pwned Users

    After the Breach: Finding new Partners with Solutions for Have I Been Pwned Users For many years, people would come to Have I Been Pwned (HIBP), run a search on their email address, get the big red “Oh no – pwned!” response and then… I’m not sure. We really didn’t have much guidance until we…

  • Welcoming the Isle of Man Government to Have I Been Pwned

    Welcoming the Isle of Man Government to Have I Been Pwned Today we welcome the 39th government and first self-governing British Crown Dependency to Have I Been Pwned, The Isle of Man. Their Office of Cyber-Security & Information Assurance (OCSIA) now has free and open access to query the government domains of their jurisdiction. We’re…

  • Passkeys for Normal People

    Passkeys for Normal People Let me start by very simply explaining the problem we’re trying to solve with passkeys. Imagine you’re logging on to a website like this: And, because you want to protect your account from being logged into by someone else who may obtain your username and password, you’ve turned on two-factor authentication…

  • Weekly Update 450

    Weekly Update 450 Looking back at this week’s video, it’s the AI discussion that I think about most. More specifically, the view amongst some that any usage of it is bad and every output is “slop”. I’m hearing that much more broadly lately, that AI is both “robbing” creators and producing sub-par results. The latter…

  • The Have I Been Pwned Alpine Grand Tour

    The Have I Been Pwned Alpine Grand Tour I love a good road trip. Always have, but particularly during COVID when international options were somewhat limited, one road trip ended up, well, “extensive”. I also love the recent trips Charlotte and I have taken to spend time with many of the great agencies we’ve worked…

  • Welcoming The Gambia National CSIRT to Have I Been Pwned

    Welcoming The Gambia National CSIRT to Have I Been Pwned Today, we’re happy to welcome the Gambia National CSIRT to Have I Been Pwned as the 38th government to be onboarded with full and free access to their government domains. We’ve been offering this service for seven years now, and it enables national CSIRTs to…

  • Weekly Update 449

    Weekly Update 449 Today, I arrived at my PC first thing in the morning to find the UPS dead (battery was cactus) and the PC obviously without power. So, I tracked down a powerboard and some IEC C14 to mains cable adaptors and powered back up. On boot, neither the Bluetooth mouse nor keyboard worked.…

  • Weekly Update 448

    Weekly Update 448 I’m a few days late this week, finally back from a month of (almost) non-stop travel with the last bit being completely devoid of an internet connection 😲 And now, the real hard work kicks in as we count down the next 25 days before launching the full HIBP rebrand. I’m adamant…

  • Weekly Update 447

    Weekly Update 447 I’m home! Well, for a day, then it’s off to the other side of the country (which I just flew over last night on the way back from Dublin 🤦‍♂️) for an event at the Microsoft Accelerator in Perth on Monday. Such is the path we’ve taken, but it does provide some…

  • Weekly Update 446

    Weekly Update 446 After an unusually long day of travelling from Iceland, we’ve finally made it to the land of Guinness, Leprechauns, and a tax haven for tech companies. This week, there are a few more lessons from the successful phish against me the previous week, and in happier news, there is some really solid…

  • Weekly Update 445

    Weekly Update 445 Well, this certainly isn’t what I expected to be talking about this week! But I think the fact it was someone most people didn’t expect to be on the receiving end of an attack like this makes it all the more consumable. I saw a lot of “if it can happen to…

  • A Sneaky Phish Just Grabbed my Mailchimp Mailing List

    A Sneaky Phish Just Grabbed my Mailchimp Mailing List You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account…

  • Weekly Update 444

    Weekly Update 444 It’s time to fly! 🇬🇧 🇮🇸 🇮🇪 That’s two new flags (or if you’re on Windows and can’t see flag emojis, that’s two new ISO codes) I’ll be adding to my “places I’ve been list” as we start the journey by jetting out to London right after I publish this blog. If…

  • Weekly Update 443

    Weekly Update 443 What an awesome response to the new brand! I’m so, so happy with all the feedback, and I’ve gotta be honest, I was nervous about how it would be received. The only negative theme that came through at all was our use of Sticker Mule, which apparently is akin to being a…