From troyhunt.com
2 2
Well, this certainly isn't what I expected to be talking about this week! But I think the fact it was someone most people didn't expect to be on the receiving end of an attack like this makes it all the more consumable. I saw a lot of "if it can
14h ago
From troyhunt.com
A Sneaky Phish Just Grabbed my Mailchimp Mailing List
1 45
You know when you're really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That's me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing
on Tue, 7AM
From troyhunt.com
0 0
It's time to fly! 🇬🇧 🇮🇸 🇮🇪 That's two new flags (or if you're on Windows and can't see flag emojis, that's two new ISO codes) I'll be adding to my "places I've been list" as we start the journey by jetting out to London right after I publish this blog. If you're
on Mar 21
From troyhunt.com
0 0
What an awesome response to the new brand! I'm so, so happy with all the feedback, and I've gotta be honest, I was nervous about how it would be received. The only negative theme that came through at all was our use of Sticker Mule, which apparently is akin to
on Mar 16
From troyhunt.com
Soft-Launching and Open Sourcing the Have I Been Pwned Rebrand
0 0
Designing the first logo for Have I Been Pwned was easy: I took a SQL injection pattern, wrote "have i been pwned?" after it and then, just to give it a touch of class, put a rectangle with rounded corners around it: Job done! I mean really, what more did
on Mar 11
From troyhunt.com
0 0
We survived the cyclone! That was a seriously weird week with lots of build-up to an event that last occurred before I was born. It'd been 50 years since a cyclone came this far south, and the media was full of alarming predictions of destruction. In the end, we maxed
on Mar 8
From troyhunt.com
We're Backfilling and Cleaning Stealer Logs in Have I Been Pwned
0 0
I think I've finally caught my breath after dealing with those 23 billion rows of stealer logs last week. That was a bit intense, as is usually the way after any large incident goes into HIBP. But the confusing nature of stealer logs coupled with an overtly long blog post
on Mar 4
From troyhunt.com
0 0
Processing data breaches (especially big ones), can be extremely laborious. And, of course, everyone commenting on them is an expert, so there's a heap of opinions out there. And so it was with the latest stealer logs, a corpus of data that took the better part of a month to
on Feb 28
From troyhunt.com
Processing 23 Billion Rows of ALIEN TXTBASE Stealer Logs
0 0
I like to start long blog posts with a tl;dr, so here it is: We've ingested a corpus of 1.5TB worth of stealer logs known as "ALIEN TXTBASE" into Have I Been Pwned. They contain 23 billion rows with 493 million unique website and email address pairs, affecting
on Feb 25
From troyhunt.com
0 0
Wait - it's Tuesday already?! When you listen to this week's (ok, last week's) video, you'll probably get the sense I was a bit overloaded. Yeah, so that didn't stop, and the stealer log processing and new feature building just absolutely swamped me. Plus, I spent from then until now
on Feb 25
From troyhunt.com
0 1
We're now eyeball-deep into the HIBP rebrand and UX work, totally overhauling the image of the service as we know it. That said, a guiding principle has been to ensure the new looks is immediately recognisable and over months of work, I think we've achieved that. I'm holding off sharing
on Feb 16
From troyhunt.com
0 3
It's IoT time! We're embarking on a very major home project (more detail of which is in the video), and some pretty big decisions need to be made about a very simple device: the light switch. I love having just about every light in our connected... when it works. The
on Feb 2
From troyhunt.com
“Have I been pwned?” – now with RSS!
0 0
As feature releases go, this is not exactly a killer, but to my surprise it was one that was requested quite frequently. It turns out that people really wanted to be able to keep abreast of new breaches and pastes in Have I been pwned? [https://haveibeenpwned.com/] (HIBP) via
on Jan 28
From troyhunt.com
0 0
We're heading back to London! And making a trip to Reykjavik. And Dublin. I talked about us considering this in the video yesterday, and just before publishing this post, we pulled the trigger and booked the tickets. The plan is to pretty much repeat the US and Canada trip we
on Jan 25
From troyhunt.com
You Can't Trust Hackers, and Other Data Breach Verification Tales
0 0
It's hard to find a good criminal these days. I mean a really trustworthy one you can be confident won't lead you up the garden path with false promises of data breaches. Like this guy yesterday: For my international friends, JB Hi-Fi is a massive electronics retailer down under and
on Jan 23
From troyhunt.com
0 0
If I'm honest, I was in two minds about adding additional stealer logs to HIBP. Even with the new feature to include the domains an email address appears against in the logs, my concern was that I'd get a barrage of "that's useless information" messages like I normally do when
on Jan 21
From troyhunt.com
CloudFlare, SSL and unhealthy security absolutism
0 1
Let's start with a quick quiz: Take a look at haveibeenpwned.com [https://haveibeenpwned.com/] (HIBP) and tell me where the traffic is encrypted between: You see HTTPS which is good so you know it's doing crypto things in your browser, but where's the other end of the encryption? I
on Jan 16
From troyhunt.com
Experimenting with Stealer Logs in Have I Been Pwned
0 0
TL;DR — Email addresses in stealer logs can now be queried in HIBP to discover which websites they've had credentials exposed against. Individuals can see this by verifying their address using the notification service and organisations monitoring domains can pull a list back via a new...
on Jan 13
From troyhunt.com
0 0
This week I'm giving a little teaser as to what's coming with stealer logs in HIBP and in about 24 hours from the time of writing, you'll be able to see the whole thing in action. This has been a huge amount of work trawling through vast volumes of data
on Jan 13
From troyhunt.com
0 0
It sounds easy - "just verify people's age before they access the service" - but whether we're talking about porn in the US or Australia's incoming social media laws, the reality is way more complex than that. There's no unified approach across jurisdictions and even within a single country like
on Jan 6
From troyhunt.com
0 0
There's a certain irony to the Bluesky situation where people are pushing back when I include links to X. Now, where have we seen this sort of behaviour before? 🤔 When I'm relying on content that only appears on that platform to add context to a data breach in HIBP and
on Dec 30
From troyhunt.com
0 0
I fell waaay behind the normal video cadence this week, and I couldn't care less 😊 I mean c'mon, would you rather be working or sitting here looking at this view after snowboarding through Christmas?! Christmas Day awesomeness in Norway 🇳🇴 Have a great one friends, wherever you are 🧑🎄...
on Dec 25
From troyhunt.com
0 0
I'm back in Oslo! Writing this the day after recording, it feels like I couldn't be further from Dubai; the temperature starts with a minus, it's snowing and there's not a supercar in sight. Back on business, this week I'm talking about the challenge of loading breaches and managing costs.
on Dec 15
From troyhunt.com
0 0
A super quick intro today as I rush off to do the next very Dubai thing: drive a Lambo through the desert to go dirt bike riding before jumping in a Can-Am off-roader and then heading to the kart track for a couple of afternoon sessions. I post lots of
on Dec 8
From troyhunt.com
"Pwned", The Book, Is Now Available for Free
0 0
Nearly four years ago now, I set out to write a book with Charlotte and RobIt was the stories behind the stories, the things that drove me to write my most important blog posts, and then the things that happened afterwards. It's almost like a collection of meta posts, each
on Dec 6
From troyhunt.com
Website enumeration insanity: how our personal data is leaked
0 0
I've just wrapped up a couple of Hack Yourself First workshops [https://www.troyhunt.com/workshops/] down closer to home in Australia and true to usual form, attendees found some absolute zinger security implementations. Previous workshops have found various vulnerabilities ranging from...
on Dec 4
From troyhunt.com
Welcoming the Armenian Government to Have I Been Pwned
0 0
Today, we're happy to welcome the 37th government to have full and free access to domain searches of their gov domains in Have I Been Pwned, Armenia. Armenia's National Computer Incident Response Team AM-CERT now joins three dozen other national counterparts in gaining visibility into how data...
on Dec 4
From troyhunt.com
0 0
I wouldn't say this is a list of my favourite breaches from this year as that's a bit of a disingenuous term, but oh boy were there some memorable ones. So many of the incidents I deal with are relatively benign in terms of either the data they expose or
on Dec 1
From troyhunt.com
0 0
I was going to write about how much I've enjoyed "tinkering" with the HIBP API, but somehow, that term doesn't really seem appropriate any more for a service of this scale. On the contrary, we're putting in huge amounts of effort to get this thing fast, stable, and sustainable. We
on Nov 25
From troyhunt.com
Closer to the Edge: Hyperscaling Have I Been Pwned with Cloudflare Workers and Caching
0 0
I've spent more than a decade now writing about how to make Have I Been Pwned (HIBP) fast. Really fast. Fast to the extent that sometimes, it was even too fast: The response from each search was coming back so quickly that the user wasn’t sure if it was
on Nov 24
From troyhunt.com
0 0
I have absolutely no problem at all talking about the code I've screwed up. Perhaps that's partly because after 3 decades of writing software (and doing some meaningful stuff along the way), I'm not particularly concerned about showing my weaknesses. And this week, I screwed up a bunch of stuff;
on Nov 17
From troyhunt.com
Inside the DemandScience by Pure Incubation Data Breach
0 1
Apparently, before a child reaches the age of 13, advertisers will have gathered more 72 million data points on them. I knew I'd seen a metric about this sometime recently, so I went looking for "7,000", which perfectly illustrates how unaware we are of the extent of data collection
on Nov 13
From troyhunt.com
0 0
This was a much longer than usual update, largely due to the amount of time spent discussing the Earth 2 incident. As I said in the video (many times!), the amount of attention this has garnered from both Earth 2 users and the company itself is incommensurate with the impact
on Nov 9
From troyhunt.com
0 0
I have really clear memories of listening to the Stack Overflow podcast in the late 2000's and hearing Jeff and Joel talk about the various challenges they were facing and the things they did to overcome them. I just suddenly thought of that when realising how long this week's video
on Nov 3
From troyhunt.com
0 0
Firstly, my apologies for the minute and a bit of echo at the start of this video, OBS had somehow magically decided to start recording both the primary mic and the one built into my camera. Easy fix, moving on... During the livestream, I was perplexed as to why the
on Oct 26
From troyhunt.com
0 0
Apparently, Stefan and I trying to work stuff out in real time about how to build more efficient features in HIBP is entertaining watching! If I was to guess, I think it's just seeing people work through the logic of how things work and how we might be able to
on Oct 21
From troyhunt.com
Have I Been Pwned is Now Partnering With 1Password
0 0
The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can't remember [https://www.troyhunt.com/only-secure-password-is-one-you-cant/]. In an era well before the birth of Have I Been Pwned [https://haveibeenpwned.com/] (HIBP), I was doing a bunch
on Oct 10
From troyhunt.com
0 0
Ok, the scenery here is amazing, but the real story is data breach victim notification. Charlotte and I wanted to do this one together today and chat about some of the things we'd been hearing from government and law enforcement on our travels, and the victim notification angle featured heavily.
on Oct 6
From troyhunt.com
0 1
It's not a green screen! It's just a weird a weird hotel room in Pittsburgh, but it did make for a cool backdrop for this week's video. We were there visiting our FBI friends after coming from Washington DC and a visit to CISA, the "America's Cyber Defence Agency". This
on Sep 28
From troyhunt.com
The Data Breach Disclosure Conundrum
0 0
The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? I'm writing this after many recent such discussions with
on Sep 27
From troyhunt.com
Password managers don't have to be perfect, they just have to be better than not having one
0 0
LastPass had an issue the other day [https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/] , a rather nasty one by all accounts that under certain (undisclosed) circumstances, it looks like it could lead to someone's password (or possibly passwords) being disclosed...
on Sep 27
From troyhunt.com
0 0
Just watching back through bits of this week's video, the thing that's really getting at me is the same thing I've come back to in so many past videos: lack of organisational disclosure after a breach. Lack of disclosure to impacted customers, lack of disclosure to the public, and a
on Sep 22
From troyhunt.com
From Dreams to Reality: The Magic of 3D Printing, with Elle Hunt
0 0
I was in my mid-30s before I felt comfortable standing up in front of an audience and talking about technology. Come to think of it, "comfortable" isn't really the right word, as, frankly, it was nerve-racking. This, with my obvious bias as her father, makes it all the more remarkable
on Sep 18
From troyhunt.com
0 0
Today was all about this whole idea of how we index and track data breaches. Not as HIBP, but rather as an industry; we simply don't have a canonical reference of breaches and their associated attributes. When they happened, how many people were impacted, any press on the incident, the
on Sep 15
From troyhunt.com
0 0
It's been a while since I've just gone all "AMA" on a weekly update, but this was just one of those weeks that flew by with my head mostly in the code and not doing much else. There's a bit of discussion about that this week, but it's mostly around
on Sep 7
From troyhunt.com
0 2
I still find the reactions to the Telegram situation with Durov's arrest odd. There are no doubt all sorts of politics surrounding it, but even putting all that aside for a moment, the assertion that a platform provider should not be held accountable for moderating content on the platform is
on Sep 1
From troyhunt.com
The North American Have I Been Pwned Tour
0 1
It was 2019 that I was last in North America, spending time in San Francisco, Los Angeles, Vegas, Denver, Minnesota, New York and Seattle. The year before, it was Montreal and Vancouver and since then, well, things got a bit weird for a while. It's a shame it's been this
on Aug 29
From troyhunt.com
0 0
This is such a significant week for us, to finally have Stefan join us as a proper employee at HIBP. When you start out as a pet project, you never really consider yourself a "proper" employee because, well, it's just you mucking around. And then when Charlotte started "officially" working
on Aug 25
From troyhunt.com
The Trouble with Procurement Departments, Resellers and Stripe
0 0
It should be so simple: you're a customer who wants to purchase something so you whip out the credit card and buy it. I must have done this thousands of times, and it's easy! I've bought stuff with plastic credit cards, stuff with Apple Pay on my phone and watch
on Aug 23
From troyhunt.com
Inside the "3 Billion People" National Public Data Breach
0 0
I decided to write this post because there's no concise way to explain the nuances of what's being described as one of the largest data breaches ever. Usually, it's easy to articulate a data breach; a service people provide their information to had someone snag it through an act of
on Aug 15