Troy Hunt

DECEMBER 15, 2024

I'm back in Oslo! Writing this the day after recording, it feels like I couldn't be further from Dubai; the temperature starts with a minus, it's snowing and there's not a supercar in sight. Back on business, this week I'm talking about the challenge of loading breaches and managing costs. A breach load immediately takes us from a very high percentage cache hit ratio on Cloudflare to zero.

Data breaches 222

Data breaches Media Accountability 222

Troy Hunt

DECEMBER 7, 2024

A super quick intro today as I rush off to do the next very Dubai thing: drive a Lambo through the desert to go dirt bike riding before jumping in a Can-Am off-roader and then heading to the kart track for a couple of afternoon sessions. I post lots of pics to my Facebook account , and if none of that is interesting, here's this week's video on more infosec-related topics: References Sponsored by:  Cyberattacks are guaranteed.

InfoSec 228

InfoSec Government Accountability 228

Troy Hunt

NOVEMBER 20, 2024

I've spent more than a decade now writing about how to make Have I Been Pwned (HIBP) fast. Really fast. Fast to the extent that sometimes, it was even too fast: The response from each search was coming back so quickly that the user wasn’t sure if it was legitimately checking subsequent addresses they entered or if there was a glitch. Over the years, the service has evolved to use emerging new techniques to not just make things fast, but make them scale more under load, increase avail

Data breaches 293

Data breaches Passwords DDOS Accountability 293

Troy Hunt

NOVEMBER 13, 2024

Apparently, before a child reaches the age of 13, advertisers will have gathered more 72 million data points on them. I knew I'd seen a metric about this sometime recently, so I went looking for "7,000", which perfectly illustrates how unaware we are of the extent of data collection on all of us. I started Have I Been Pwned (HIBP) in the first place because I was surprised at where my data had turned up in breaches. 11 years and 14 billion breached records later, I'm still surp

Data breaches 289

Data breaches Passwords B2B Technology 289

Troy Hunt

NOVEMBER 8, 2024

This was a much longer than usual update, largely due to the amount of time spent discussing the Earth 2 incident. As I said in the video (many times!), the amount of attention this has garnered from both Earth 2 users and the company itself is incommensurate with the impact of the incident itself. It's a nothing-burger. Email addresses and usernames, that's it, and of course, their association with the service, which may lead to some very targeted spam or phishing attempts.

Data breaches 227

Data breaches Phishing 227

Troy Hunt

OCTOBER 5, 2024

Ok, the scenery here is amazing , but the real story is data breach victim notification. Charlotte and I wanted to do this one together today and chat about some of the things we'd been hearing from government and law enforcement on our travels, and the victim notification angle featured heavily. She reminded me of the trouble even the police have when reaching out to organisations about security issues, often being confronted by lawyers or other company representatives worried about legal

Data breaches 236

Data breaches Cybercrime Government 236

Troy Hunt

SEPTEMBER 28, 2024

It's not a green screen! It's just a weird a weird hotel room in Pittsburgh, but it did make for a cool backdrop for this week's video. We were there visiting our FBI friends after coming from Washington DC and a visit to CISA, the "America's Cyber Defence Agency" This week, I'm talking about those visits, some really cool new Cloudflare features, and our ongoing effort to push more and more of HIBP's data to Cloudflare's edges.

Passwords 226

Passwords 226

Troy Hunt

SEPTEMBER 27, 2024

The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? I'm writing this after many recent such discussions with breached organisations where I've found myself wishing I had this blog post to point them to, so, here it is.

Data breaches 306

Data breaches Risk Passwords Government 306

Troy Hunt

SEPTEMBER 17, 2024

I was in my mid-30s before I felt comfortable standing up in front of an audience and talking about technology. Come to think of it, "comfortable" isn't really the right word, as, frankly, it was nerve-racking. This, with my obvious bias as her father, makes it all the more remarkable that Elle was able to do it at NDC Oslo when she was just 11 years old.

Technology 289

Technology 289

Troy Hunt

SEPTEMBER 15, 2024

Today was all about this whole idea of how we index and track data breaches. Not as HIBP, but rather as an industry; we simply don't have a canonical reference of breaches and their associated attributes. When they happened, how many people were impacted, any press on the incident, the official disclosure messaging and so on and so forth. As someone in the video today said, "what about the Airtel data breach?

Data breaches 263

Data breaches Government 263

Troy Hunt

SEPTEMBER 6, 2024

It's been a while since I've just gone all "AMA" on a weekly update, but this was just one of those weeks that flew by with my head mostly in the code and not doing much else. There's a bit of discussion about that this week, but it's mostly around the ongoing pain of resellers and all the various issues supporting them then creates as a result.

257

257

Troy Hunt

AUGUST 24, 2024

This is such a significant week for us, to finally have Stefan join us as a proper employee at HIBP. When you start out as a pet project, you never really consider yourself a "proper" employee because, well, it's just you mucking around. And then when Charlotte started "officially" working for HIBP a few years ago, well, that's my wife helping me out.

Software 284

Software 284

Troy Hunt

AUGUST 23, 2024

It should be so simple: you're a customer who wants to purchase something so you whip out the credit card and buy it. I must have done this thousands of times, and it's easy! I've bought stuff with plastic credit cards, stuff with Apple Pay on my phone and watch and, like all of us, loads of stuff simply by entering credit card details into a website.

Banking 308

Banking Accountability Data breaches 308

Troy Hunt

AUGUST 18, 2024

Whilst there definitely weren't 2.x billion people in the National Public Data breach, it is bad. It really is fascinating how much data can be collected and monetised in this fashion and as we've seen many times before, data breaches do often follow. The NPD incident has received a huge amount of exposure this week and as is often the case, there are some interesting turns; partial data sets, an actor turned data broker, a disclosure notice (almost) nobody can load and bad actors pedd

Data breaches 268

Data breaches Engineering 268

Troy Hunt

AUGUST 10, 2024

When is a breach a breach? If it's been breached then re-breached , is the second incident still a breach? Here's what the masses said when I asked if they'd want to know when something like this happened to their data: If you're in a breach and your data is aggregated by a third party, then *they* have a breach that discloses your data (again), would you want to know?

274

274

Troy Hunt

AUGUST 1, 2024

The ongoing scourge that is spyware (or, as it is commonly known, "stalkerware"), and the subsequent breaches that so often befall them continue to amaze me. More specifically, it's the way they tackle the non-consensual spying aspect of the service which, on the one hand is represented as a big "no-no" but on the others hand, the likes of Spytech in this week's update literally have a dedicated page for!

Spyware 245

Spyware Small Business Scams 245

Troy Hunt

JULY 31, 2024

TL;DR — Tens of millions of credentials obtained from info stealer logs populated by malware were posted to Telegram channels last month and used to shake down companies for bug bounties under the misrepresentation the data originated from their service. How many attempted scams do you get each day? I woke up to yet another "redeem your points" SMS this morning, I'll probably receive a phone call from "my bank" today (edit: I was close, it was "Amazon Prime" &

Scams 333

Scams Passwords Malware Accountability 333

Troy Hunt

JULY 27, 2024

Who would have thought that just a few hours after recording the previous week's video, the world would descend into what has undoubtedly become the largest IT outage we've ever seen: I don’t think it’s too early to call it: this will be the largest IT outage in history — Troy Hunt (@troyhunt) July 19, 2024 By virtue of the CrowdStrike incident occurring in friendly office hours for my corner of the world, I was able to get a thread on it going pretty early on.

Media 254

Media 254

Troy Hunt

JULY 24, 2024

Just over 13 years ago, Microsoft gave me my first "Most Valuable Professional" award. Out of the blue, as far as I was concerned. It wasn't something I'd planned for and it certainly wasn't something I'd expected, but it has become a cornerstone of my professional identity. Indulge me while I go off on a bit of a tangent here: like the other things in my professional life that have turned into a success, the things I did to earn that first MVP award were things I was

Data breaches 290

Data breaches 290

Troy Hunt

JULY 21, 2024

It feels weird to be writing anything right now that isn't somehow related to Friday's CrowdStrike incident, but given I recorded this video just a few hours before all hell broke loose, it'll have to wait until next week. This week, the issue that really has me worked up is data breach victim notification or more specifically, lack thereof.

Data breaches 251

Data breaches InfoSec Spyware Government 251

Troy Hunt

JULY 11, 2024

I get the frustration and anger those working at organisations that have been breached feel, and I've seen it firsthand in my communications with them on so many prior occasions. They're the victim of a criminal act and they're rightly outraged. However. thinking back to similar examples to The Heritage Foundation situation this week, I can't think of a single case where losing your mind and becoming abusive has ever worked out well.

Passwords 264

Passwords 264

Troy Hunt

JULY 5, 2024

It's a long one this week, in part due to the constant flood of new breaches and disclosures I discuss. I regularly have disclosure notices forwarded to me by followers who find themselves in new breaches, and it's always fascinating to hear how they're worded. You get a real sense of how much personal ownership a company is taking, how much blame they're putting back on the hackers and increasingly, how much they've been written by lawyers.

Data breaches 250

Data breaches Banking Software 250

Troy Hunt

JUNE 30, 2024

Last week, I wrote about The State of Data Breaches and got loads of feedback. It was predominantly sympathetic to the position I find myself in running HIBP, and that post was mostly one of frustration: lack of disclosure, standoffish organisations, downplaying breaches and the individual breach victims themselves making it worse by going to town on the corporate victims.

Data breaches 265

Data breaches Government InfoSec Passwords 265

Troy Hunt

JUNE 29, 2024

Why does it need to be a crazy data breach week right when I'm struggling with jet lag?! I came home from Europe just as a bunch of the Snowflake-sourced breaches started being publicly dumped, and things went a little crazy. Lots of data to review, lots of media enquiries and many discussions with impacted individuals, breached companies, incident response folks and law enforcement agencies.

Data breaches 254

Data breaches Media Accountability 254

Troy Hunt

JUNE 24, 2024

I've been harbouring some thoughts about the state of data breaches over recent months, and I feel they've finally manifested themselves into a cohesive enough story to write down. Parts of this story relate to very sensitive incidents and parts to criminal activity, not just on behalf of those executing data breaches but also very likely on behalf of some organisations handling them.

Data breaches 302

Data breaches Identity Theft InfoSec Accountability 302

Troy Hunt

JUNE 23, 2024

Ah, sunshine! As much as I love being back in Norway, the word "summer" is used very loosely there. Not as much in Greece, however, which is just spectacular: Finally escaped the bitterly cold Norwegian summer for something… warmer 🇬🇷 pic.twitter.com/jk9knZvJar — Troy Hunt (@troyhunt) June 17, 2024 3 nights in Mykonos, 2 in Santorini and I'm pushing this post out just before our second night in Athens before embarking on the long journey home.

Accountability 214

Accountability 214

Troy Hunt

JUNE 16, 2024

What a week! The NDC opening keynote and 3D printing talk both went off beautifully, the latter being the first time for 11-year old Elle on stage: And the pro shots are really cool 😎 pic.twitter.com/ud7ad0pF1x — Troy Hunt (@troyhunt) June 15, 2024 Videos of both will be available in the coming weeks so stay tuned for them. For now, we're at the end of a mostly cold and rainy Norwegian summer trip, heading to the sunny Greek isles for next week's update 😎 Referen

267

267

Troy Hunt

JUNE 6, 2024

I just watched back a little segment from this week's video and somehow landed at exactly the point where I said "I am starting to lose my patience with repeating the same thing over and over again" (about 46 mins if you want to skip to it), which is precisely how I wanted to start this post. In running HIBP for the last 10 and a bit years, there have been so many breaches where people have asked for the data within them beyond just the email address to be made available.

Risk 256

Risk 256

Troy Hunt

JUNE 2, 2024

What a week! It was Ticketmaster that consumed the bulk of my time this week with the media getting themselves into a bit of a frenzy over a data breach that at the time of recording, still hadn't even been confirmed. But as predicted in the video, confirmation came late on a Friday arvo and since that time we've learned a lot more about just how bad the situation is.

Data breaches 267

Data breaches Media 267

Troy Hunt

MAY 29, 2024

Today we loaded 16.5M email addresses and 13.5M unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they've coined Operation Endgame. That link provides an excellent over so start there then come back to this blog post which adds some insight into the data and explains how HIBP fits into the picture.

Passwords 333

Passwords Password Management Data breaches Cybercrime 333

Troy Hunt

MAY 27, 2024

Ah, episode 401, the unauthorised one! Ok, that was terrible, but what's not terrible is finally getting some serious dev resources behind HIBP. I touch on it in the blog post but imagine all the different stuff I have to spread myself across to run this thing, and how much time is left for actual coding. By welcoming Stefan to the team we're not doubling or tripling or even quadrupling the potential dev hours, it's genuinely getting close to 10x.

Scams 265

Scams Education Media 265

Troy Hunt

MAY 21, 2024

We often do that in this industry, the whole "1.0" thing, but it seems apt here. I started Have I Been Pwned (HIBP) in 2013 as a pet project that scratched an itch, so I never really thought of myself as an "employee" Over time, it grew (and I tell you what, nobody is more surprised by that than me!) and over the last few years, my wife Charlotte got more and more involved.

Passwords 331

Passwords Hacking 331

Troy Hunt

MAY 19, 2024

This is the 400th time I've sat down in front of the camera and done one of these videos. Every single week since the 23rd of September in 2016 regardless of location, health, stress and all sorts of other crazy things that have gone on in my life for nearly the last 8 years now, I've done a video. As with so many of the things I create, these are as much for me as they are for you; doing these videos every week has given me a regular cadence amidst some pretty crazy times.

Data breaches 270

Data breaches 270

Troy Hunt

MAY 11, 2024

The Post Millennial breach in this week's video is an interesting one, most notably because of the presence of the mailing lists. Now, as I've said in every piece of communication I've put out on this incident, the lists are what whoever defaced the site said TPM had and they certainly posted that data in the defacement message, but we're yet to hear a statement from the company itself.

Ransomware 220

Ransomware 220

Troy Hunt

MAY 2, 2024

How many different angles can you have on one data breach? Facial recognition (which probably isn't actual biometrics), gambling, offshore developers, unpaid bills, extortion, sloppy password practices and now, an arrest. On pondering it more after today's livestream, it's the unfathomable stupidity of publishing this data publicly that really strikes me.

Passwords 271

Passwords Data breaches 271

Troy Hunt

APRIL 28, 2024

Banks. They screw us on interest rates, they screw us on fees and they screw us on passwords. Remember the old "bank grade security" adage? I took this saying to task almost a decade ago now but it seems that at least as far as password advice goes, they really haven't learned. This week, Commbank is telling people to use a password manager but just not for their bank password, and ANZ bank is forcing people to rotate their passwords once a year because, uh, hackers?

Banking 258

Banking Passwords Password Management Data breaches 258

Troy Hunt

APRIL 22, 2024

"More Data Breaches Than You Can Shake a Stick At" That seems like a reasonable summary and I suggest there are two main reasons for this observation. Firstly, there are simply loads of breaches happening and you know this already because, well, you read my stuff! Secondly, There are a couple of Twitter accounts in particular that are taking incidents that appear across a combination of a popular clear web hacking forum and various dark web ransomware websites and "raising them to th

Data breaches 246

Data breaches Accountability Ransomware Hacking 246