have-you-been-pwned

If you visit Troy Hunt’s website – Have I Been Pwned.com – and read the often-voluminous posts on his blog, you might think he has time for little else. But the sites are just a sideline for Hunt, an Australia-based Microsoft Regional Director and MVP whose primary business is training security professionals.

Have I Been Pwned is a free resource that people can use to find out if they have been put at risk due to a data breach. As of this writing, it includes authentication data from 166 compromised websites and nearly two million accounts. Type in your email address or username and find out if you’ve been a victim (the site stores no passwords).

Hunt launched the site after 153 million Adobe accounts were breached in late 2013. He noticed that the same accounts – and passwords – were showing up across multiple incidents. He began acquiring usernames of accounts that had been compromised so people could easily learn if they’d been victimized.

Have I Been Pwned gets tens of thousands of visitors each week, and Hunt’s mailing list is approaching one million names. He uses the insight he gains from the constant back-and-forth with visitors and contributors to improve his coursework and build his profile as a security expert. It’s working; Hunt has been quoted dozens of times in global media outlets, and his blog is a must-read for people who care about cyber attacks.

We caught up with him via Skype.

 

This site would appear to require a huge time commitment on your part. How do you fit it in with your day job?

It’s complementary to my main business of security training. Companies tell me their goal is not to end up on the website! The time commitment can be as much as a day each week, but I also get a lot of useful information. Recently, I got 75 notifications of new breaches in one day.

For example, I learned about a big data leak at the Red Cross Blood Service in Australia that was caused when someone inadvertently published information from a database on a public web server. The same week there was another incident with a major international brand having data exposed on a website because of a partner screw-up. This is the type of thing that comes in multiple times a day.

Why do people share this information with you?  

They have all kinds of motivations. I get answers varying from exploiting the company to getting a leg up on a competitor to wanting to sell the data. Very often, no one thinks there’s anything wrong with what they’re doing. I want to tell them that they should go to their room and think about it a bit. They’ve got their hands on deeply personal information and they have no idea what that means.

Where do you get your source material?

It’s almost always someone sending me data. Some people send me dozens of files or a link to a folder with huge amounts of compromised data. Often that data is fake, so I troll through and try to verify it. Other times I get data that’s broadly redistributed – like the Ashley Madison database.

Are you surprised by the reactions from companies that have been breached?

The most positive reaction I’ve seen was from the Australian Red Cross. I got an appreciative call from the CEO. That’s what I like to see: ethical disclosure.

Then there are folks like Nissan, which had a vulnerability in their API that let attackers take control of their vehicles. At first, Nissan didn’t want to hear about it. They only came around reluctantly.

What response do you get from people who use the site to see if they’ve been pwned?

It’s 99.99% positive. I’m careful about what data I expose. You can’t search the Ashley Madison list, for example. I’m also careful not to reveal email addresses or passwords.

What has running the site taught you about the state of password security?

That some woeful practices are the norm rather than the exception. People defer to the lowest common denominator of password strength. There’s a prevalence of the “123” passwords.

Also, surprisingly few companies use multi-step verification, even though it’s a great protection against credential theft.

What is your opinion of the various alternatives to password security?

Nothing is without trade-offs. There’s password-less login via email, but emails can be delayed. QR codes can be used for authentication, but that’s asking people to do something they’re unfamiliar with. Whenever we ask people to learn an entirely new method, it’s a problem.

I love biometrics, picture logins and PINs on Windows 10. All are great, but none of them remove the underlying weakness of the password.

What do you think are the most effective steps organizations can take right now to improve security?

Better training, particularly for software developers. While I obviously have a vested interest in saying that, systems are nearly always compromised by a flaw in a process. If you give developers the knowledge to write secure programs, they’ll use it for the rest of their careers. So why pay a penetration testing company $20,000 if developers are just going to make the same mistakes again?

If you address problems when the software is being written, you get a massive benefit across the lifecycle. We understand how SQL injection and cross-site scripting works, but we still create so much stuff that’s vulnerable. The problem is education.

What has been the most rewarding aspect of running this site?

A big one has been the messages I get from people who say they wouldn’t have known about their exposure without it. I’ve also learned an awful lot about how breaches happen and about scaling a service to tens of thousands of users. One of my objectives has been to run the whole thing for less than what I spend on coffee. Using Microsoft Azure, I’ve been able to build something at scale and do it cost-effectively.

What have been the biggest surprises?

That I’ve never had any legal threats [laughs]. I suppose that’s because I’m transparent. I jump on the phone with anyone who’s concerned. The volume of interest has been a surprise. I now have about 830,000 verified subscribers, and I expect that to be one million by Christmas.

The amount of interest from enterprises and commercial vendors has been surprising, such as security companies wanting to make the API part of a commercial service. I’ve done some of these deals to build leverage.

What has HaveIBeenPwned.com done to your visibility in the security community?

After a large incident, I often get up to a dozen press calls. I get a lot of offers to speak, many of which I have to decline. That said, I’ve had five international trips this year that involved speaking.

How do you manage to blog so prolifically?

I get up very early. I often blog when I have an itch to scratch, such as when I took my iPhone in for service and they wanted me to unlock it so they could work on it. Or it’s something that I just find fascinating. I’ve found that when I write about something, I understand it better. It’s part of my learning experience as well.