back to article Have I Been S0ld? Troy Hunt's security website is up for acquisition

Troy Hunt, inventor and operator of the popular security website Have I Been Pwned (HIBP), is putting the service up for sale. Hunt, a Microsoft Regional Director and MVP for security, created the site in 2013 after Adobe leaked 153 million usernames and weakly encrypted passwords. Users can enter an email address and discover …

  1. Pascal Monett Silver badge
    Thumb Up

    I tip my hat

    Mr Hunt has done the world a great service in a responsible way. I wish him the best and hope that his efforts will be bolstered by a company or partners that will bring the same respect to his creation that he brought to the public.

    1. Korev Silver badge
      Pint

      Re: I tip my hat

      100% agree, apart from you forgetting his pint :)

    2. sal II

      Re: I tip my hat

      Seems like he is done with the altruism and is looking to cash in. Instead of expanding it as a opean source project, he will sell the 8Bn records to the highest bidder. Care to guess whether it will be someone looking to keep the functionality and impartiality intact, or just gobble and exploit the juicy dataset?

      1. Anonymous Coward
        Anonymous Coward

        Re: I tip my hat

        or maybe he's just a man, that has worked hard and wants hand off to a responsible party what he has built, so he can go enjoy what time he has left in life.

      2. Brian Miller

        Re: I tip my hat

        That data set is public. Breached, doxed, spammed, etc. I'm sure that he pays fees for hosting out of his wallet. Since it's been his pet project, I can see he'd like to do something else with his free time.

        1. Michael Wojcik Silver badge

          Re: I tip my hat

          I'm sure that he pays fees for hosting out of his wallet

          Yup. People can contribute (via PayPay or Bitcoin); there's a Donate page on the site that explains things. I set up a small monthly donation myself. But even if donations are covering the hosting costs, which I doubt, there's a lot of work involved in running HIBP.

      3. Anonymous Coward
        Anonymous Coward

        Re: I tip my hat

        Uh, did you read the article? I mean, past the first paragraph?

      4. Anonymous Coward
        Anonymous Coward

        Re: I tip my hat

        Ahhhh the entitled brigade are here I see. It's attitudes like this that actually stop people running projects and closing them up completely. He's spent his own money and his own time building and maintaining this. Sure he could make it open-source, but then it pretty much already is, most of the code behind it is in his blog if you want to look at it and the datasets are out there for anyone who wants to find them. Then he'd have more people to coordinate and lose all control from the off.

        If it went open source then a limited number people would still need to be responsible for loading the data in, you don't want that data loaded up in to github before it's processed and passwords removed.

        1. Captain Scarlet Silver badge
          Coat

          Re: I tip my hat

          It's attitudes like this that cause people running such projects to lose their temper and start biting everyones head off.

      5. MOH

        Re: I tip my hat

        You could always try convincing him you're willing to put the same amount of time, effort and expertise into running the operation and see if he'll let you take it over for free?

      6. Anonymous Coward Silver badge
        FAIL

        Re: I tip my hat

        It doesn't sound like he's after a "highest bidder" sale anyway. It all sounds like he's responsibly trying to secure a viable future for the project. As it stands, if he were to be hit by a bus then the whole project would be abandoned - he's simply trying to find an organisation that can take care of it. Getting that organisation to put their hand in their pocket is a good way of filtering down to those who are serious.

        1. schifreen

          Re: I tip my hat

          Actually, if he's gone to KPMG then he definitely is after the highest bidder. If he just wanted rid of it, he'd put a little note on the site and see who approached.

          But good luck to him, regardless.

          1. Roland6 Silver badge

            Re: I tip my hat

            >Actually, if he's gone to KPMG then he definitely is after the highest bidder.

            Not necessarily, perhaps he just wants the job done without requiring more of his free time and if a well funded buyer does appear, he doesn't get ripped off.

          2. Topperfalkon

            Re: I tip my hat

            If he's already close to burnout he's not going to have capacity to evaluate potential suitors

          3. JohnFen

            Re: I tip my hat

            He hasn't gone to KPMG -- he was already a KPMG customer.

            I will admit, though, that the involvement of KPMG increases my nervousness about this.

          4. jasonbrown1965

            Re: I tip my hat

            Agreed, definitely the highest bidder.

            I mean he claimed to be an honest trader, but this is K.P.M.G. we are talking about, renown for fawning headlines like these ones :

            2015 Corruption in FIFA? Its Auditors Saw None

            https://www.nytimes.com/2015/06/06/sports/soccer/as-fifa-scandal-grows-focus-turns-to-its-auditors.html

            2016 KPMG Switzerland resigns as Fifa auditor

            https://www.ft.com/content/a872af30-316e-11e6-bda0-04585c31b153

            2017 US KPMG Fires 6 Over Ethics Breach on Audit Warnings

            https://www.nytimes.com/2017/04/12/business/dealbook/kpmg-public-company-accounting-oversight-board.html

            2018 Seven UK KPMG partners leave after inappropriate behaviour

            https://www.ft.com/content/50a716c2-fcac-11e8-ac00-57a2a826423e

            2019 Aiding 'organized crime': India alleges 22 audit violations by Deloitte, KPMG arm in fraud case

            https://www.reuters.com/article/us-india-il-fs-deloitte-kpmg/aiding-organized-crime-india-alleges-22-audit-violations-by-deloitte-kpmg-arm-in-fraud-case-idUSKCN1TE1X4

            2019 KPMG 'severely reprimanded' for audit failings at Co-op Bank

            https://www.theguardian.com/business/2019/may/08/kpmg-severely-reprimanded-for-audit-failings-at-co-op-bank

            Yeah, what could possibly go wrong with selling user data to such a globally respected audit service?

      7. Anonymous Coward
        Anonymous Coward

        Re: I tip my hat

        @sal II And what have you done that's so good? Do tell.

        1. Anonymous Coward
          Anonymous Coward

          Re: I tip my hat

          Well it's been almost a day and sal II hasn't responded so I think we can safety assume he hasn't contributed anything good, ever.

          Or his bridge has collapsed on top of him under the weight of all the downvotes.

          1. JohnFen

            Re: I tip my hat

            Or he's ignoring it because it's a personal attack and a straw man? Whether or not he has ever done anything of note is irrelevant to whether or not his criticisms are valid (just to be clear, I don't agree with him myself).

      8. JLV

        Re: I tip my hat

        Maybe you can point us to signs of your own significant contributions that allow you to be so judgmental unto others?

      9. Sitaram Chamarty
        FAIL

        Re: I tip my hat

        Any possible reply I could make to your totally misguided comment has already been made by someone else already.

        As such, I will content myself with blowing a raspberry at you... Phhhhbbbbbtttt.

      10. jimdandy
        Windows

        Re: I tip my hat

        Bend over and expose your true self: a wanky pissant who has done nothing within light years of this one man's effort to avoid and preventing people from being pwned.

        Shut up until you've done something that helps others find a way through the new stupidverse.

      11. Anonymous Coward
        Anonymous Coward

        Re: I tip my hat

        But anyone can download the same data he has for free. It's all out there. How do you think he got it?

      12. Topperfalkon

        Re: I tip my hat

        I suspect it's labelled as an acquisition rather than a sale for a reason.

        You also can't really have responsible disclosure with a wholly open source project... because it's open.

        What he needs is an established business already comfortable operating in this space willing to take on a service that may have fairly low commercial profitability.

  2. david 64

    He has some very interesting blog entries on how he has setup and run this service, eg. obscene performance on Azure table storage. Worth a read even for the interested.

    https://www.troyhunt.com/working-with-154-million-records-on/

  3. MrKrotos

    Hmmmm

    Interesting, so he will be selling other peoples email addresses? GDPR anyone?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmmm

      Dear Mr Krotos

      I am writing to you on behalf of the police. We had been going to tell you that when we arrested Mr Big, he had your name, email, address and photo in a little black book under the title 'People to assassinate next week'. Clearly as the book contained personal information we had no choice but to return to it's owner. At that point we had no evidence left, so we released Mr Big. Obviously we aren't actually going to send you this letter, because we securely deleted your email and contact details. Still - sleep tight!

      [Name redacted because its obv personal]

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmmmm

      Interesting point, legally I don't know where this business would sit - there's no agreement with data subjects or data controllers to hold the information. Then again it could be argued that it's in the public arena already and hence is no longer "private" even if it's about private individuals and he wasn't the source of the breach/leak etc.

      I think you'd be hard pressed to find any Information Commissioner or equivalent keen to go after him as frankly he's doing a public service.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmmmm

        As you mention, you can't breach confidentiality of something in the public domain, so it's not a GDPR risk at all

      2. JohnFen

        Re: Hmmmm

        " it could be argued that it's in the public arena already and hence is no longer "private" "

        Yes, when it comes to the breach datasets. However, people who actively use his service are supplying information that may or may not be in any of those datasets, That would be the sensitive information.

  4. JohnFen

    Nervous

    Kudos to Mr. Hunt. I understand burnout all too well, and I am deeply appreciative of his work with HIBP.

    I'm nervous about this announcement, though. HIBP operates with very sensitive data and has earned a great deal of trust. Any new owner must have an impeccable reputation and there are very few companies that have that. I'll wait and see who buys it before making any decisions about continuing to use it.

    1. Michael Wojcik Silver badge

      Re: Nervous

      HIBP operates with very sensitive data

      How so?

      The breach datasets are all published before HIBP gets them, by definition.

      Usernames that people submit are not sensitive, by Kerckhoff's Principle. There's no need for HIBP to keep them after performing the search, so there's no GDPR issue even if they're not in the datasets.

      No one needs to submit plaintext passwords to HIBP - you can submit hashes.

      While I wouldn't want HIBP taken over by a malicious actor, it's not high on my list of things to worry about. It's not nearly as sensitive as, say, most of the Alexa 100 sites, in terms of actual relative risk.

  5. JohnFen

    MFA

    "other strategies like multi-factor authentication, but take-up is weak as data from services like Microsoft's Office 365 demonstrates."

    That effect isn't very hard to understand. All of the MFA implementations I've seen so far are much less convenient than passwords and/or require information disclosure to unsavory companies.

    1. really_adf

      Re: MFA

      All of the MFA implementations I've seen so far are much less convenient than passwords and/or require information disclosure to unsavory companies.

      All security is a trade-off with convenience. (Wouldn't it be more convenient if you just had your user name, with no password to remember?)

      From a convenience/handing over data perspective, I've used:

      - Mobile app notification: minimal inconvenience, who knows about data (though not an inherent issue)

      - Phone call: slightly more inconvenient than an app for most, but you need to hand over your telephone number.

      - SMS OTP: probably slightly more inconvenient than a phone call in most cases; again, you need to hand over your number.

      - TOTP/HOTP and similar (RSA SecurID springs to mind): like SMS OTP except no data.

      The only other option I'm aware of (am I missing any?), and looks very interesting to me, is U2F. This keeps the "no data" aspect of TOTP etc, while reducing inconvenience to be similar to a mobile app. From a security perspective, it also allows a lot of potential weaknesses affecting the above to be avoided.

      1. JohnFen

        Re: MFA

        "All security is a trade-off with convenience."

        Indeed so. When you're talking about why MFA hasn't been adopted widely by the average user, convenience is probably near, or at, the top of the list of reasons.

        I think you covered all the options in your list. Of those, U2F is the most acceptable to me -- but I think that the requirement to buy and carry a U2F device, however cheap it is, puts off a lot of ordinary users.

      2. knottedhandkerchief

        Re: MFA

        There's also password-less login, where an email is sent to the registered address. Similar to a password reset (same security level, i.e. not much) but the resulting link is a one-time login, short term. I've used it for a low security required site where there was about 50% password resets, this went to zero. Example for WordPress: https://www.cozmoslabs.com/add-ons/passwordless-login/

  6. Somewhere in the Colonies

    A real CSR opportunity?

    With so many big companies talking about their Corporate and Social Responsibility efforts - and then doing things like planting trees or helping in homeless shelters - perhaps on of them could step up and provide both people and resource to support this effort.

    This work has been phenomenal, and has certainly earned him a place in Internet history. Like Wayback machine, it would be sad to see it go...or get corrupted from it's current highly trusted and reputable state.

  7. The Nazz

    Have i been porned.

    Wonder how rapidly the 8bn records will grow after mid July when the UK Govt's porn law kick in?

  8. FlamingDeath Silver badge

    As thankful as I am for this service, I wonder if it has had any noticeable effect on shoddy company practices and software SNAFU’s

    Microsoft are still hosting phishing pages on their Forms service, they’re still facilitating spam, like, not even trying to stop it, and the icing on the cake, try using their incarnation of 2FA with powershell.

    This is one shitty company in a sea of shitty companies, Faecesbook, Frugle, CrApple, the list is long

    Yes I know this is about database breaches, shitty security and shitty humans with their lack of foresight, go hand in hand, the apple rarely falls far from the tree

    1. FlamingDeath Silver badge

      Should add here, the onus is on the end-user to create ever more complex random unique passwords

      The onus should be on the reckless ‘for profit’ companies to not spill peoples personal details all over the internet. If their marketing budgets were as high as their security budgets...

      A rude awakening is not far away

      1. JohnFen

        "The onus should be on the reckless ‘for profit’ companies to not spill peoples personal details all over the internet."

        I agree (although it's not just for profit companies that fall down on this.)

        But we should also keep in mind that breaches will continue to happen even if every company handles their security very well. There is no such thing as perfect security, after all. If something can be accessed legitimately, it can be accessed illegitimately. The only question is how much time and effort is required to do it.

  9. Anonymous Coward
    Anonymous Coward

    There is no 'HIBP team', there's one guy keeping the whole thing afloat."

    I fully understand how he feels. On an incomparably smaller scale I have been running, almost entirely single-handedly a non-profit project for 13 years and, frankly, a ZERO rate for volunteers willing to give a helping hand (with thousands offering a "great job mate!" free pat on the back). No matter how optimistic, or resilient you are, this ratio just steady erodes your faith in, well, human nature in general. It's a matter of when, not if, when you say: ok, fuck this and fuck you all.

    1. JohnFen

      Re: There is no 'HIBP team', there's one guy keeping the whole thing afloat."

      "No matter how optimistic, or resilient you are, this ratio just steady erodes your faith in, well, human nature in general."

      This isn't a universal truth. I run a couple of services alone and for free and have done so for at least a decade. I've stopped running service before because of burnout -- but I have never been bothered by the ratio you're talking about, and it has certainly not eroded my faith in anything.

  10. EnviableOne

    Possibble Owners

    Full respect to Troy for all the effort he has put in and reading his own blog post (https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/)

    he is looking for the right people to take over.

    from the current people working with HIBP, i reckon either Cloudflare or Mozilla would be the best homes for the service, and both have the scale to support it.

    1. JohnFen

      Re: Possibble Owners

      If it's Cloudflare, then I'd stop using the service. Mozilla would be a decent fit, though.

  11. Midnight

    HIBP is just not going to be the same after McAfee takes it over.

  12. FF22

    Business?

    " He believes it is time to put the business up for acquisition"

    What business? This is not a business, and it will ever only be a business if the future owner will abuse the data it can collect through the site.

    1. Anonymous Coward
      Anonymous Coward

      Re: Business?

      Advertising. It already has an advert for 1Password.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon