After six years as a solo effort, Troy Hunt has found that he can no longer keep up with all the data breaches in his spare time. He's also aware that he has become a single-point-of-failure for an increasingly important service. He is, therefore, looking to sell his site https://haveibeenpwned.com/. News of this was relayed to users in a blog post and covered by threatpost in Troy Hunt Looks to Sell Have I Been Pwned:
Citing overwhelming demands on his time, Troy Hunt is looking for a buyer for his site, Have I Been Pwned (HIBP).
HIBP offers a free service for consumers wanting to know if their user names and passwords have been compromised in a data breach; it also offers commercial services that include alerts for members of identity-theft programs, enabling infosec companies to provide services to their customers, protecting large online assets from credential stuffing attacks, preventing fraudulent financial transactions, and giving governments and law enforcement assistance with investigations.
Hunt has been running the site for six years, and said in a posting on Tuesday that the sheer amount of breached information out there needing to be loaded into the database has accelerated to the point of outstripping one person's capability to keep up with it.
He noted that starting in January, with the massive Collection #1 data dump, his responsibilities in keeping HIBP afloat have spiked. This has led to him having to cut back on other things, like maintaining his social media presence on Twitter and writing technical blog posts. Even so, he's continued to travel and speak globally, upload weekly videos, and participate in industry and media events – resulting in something "very close to burnout," he said, as he tried to keep up with it all plus have a family life.
Here's hoping he can find an organization that will be as good a steward of the information as he has been.
(Score: 1, Touché) by Anonymous Coward on Thursday June 13 2019, @01:50AM (2 children)
Facebook/Google/Microsoft/Amazon making an offer in 3....2....1....
All in the name of protecting their user base, of course!
(Score: 2) by Mykl on Thursday June 13 2019, @03:56AM
I'm less worried about the majors buying the site, and more worried about organisations like some eastern European tech company with ties to organised crime. Or any Chinese company. Or any middle-eastern country. Or anyone who might have an incentive to not report on some breaches (yes, this includes the majors I suppose).
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @09:27AM
Awesome
FB could use it to check for people of hasn't created shadow accounts for yet. Much invasion, such profit.
(Score: 2) by arslan on Thursday June 13 2019, @03:22AM (1 child)
At this point in time, is there really an organization that we can trust with private information? Even if the organization is completely not-for-profit, how can it resist their local government meddling?
(Score: 2) by All Your Lawn Are Belong To Us on Thursday June 13 2019, @02:52PM
No. Not because there aren't organizations that aren't trustworthy, but because the systems supporting them is that broken at this point. If one can't trust the support system then it doesn't matter if the organization is trustworthy. (And I was thinking more of computer security here, but it applies to government support as well).
This sig for rent.
(Score: 4, Touché) by Bot on Thursday June 13 2019, @07:53AM (7 children)
###Welcome to HIBP###
Please enter the password to be checked:
>Yhuteyu6re2ggd
Searching...
Yes you have been owned, right now at least. Have a nice day.
Account abandoned.
(Score: 2) by pkrasimirov on Thursday June 13 2019, @08:16AM (6 children)
You were never supposed to submit the password but its hash. Still a risk, that's why in HIBP version 2 you do not submit your password hash but only the first 4 characters instead. The HIBP gives you the full list of all pwned password hashes starting with your 4 characters. Then you search your exact hash in the list. If you find it your password have been pwned.
(Score: 2, Informative) by shrewdsheep on Thursday June 13 2019, @08:37AM (5 children)
If the password hash is properly salted, how am I supposed to know the hash of my password?
If the hash has been lifted, how does this imply my password has been pwnd?
(Score: 2) by pkrasimirov on Thursday June 13 2019, @09:48AM (2 children)
I think HIBP generates and publishes unsalted hashes from the plain-text passwords that have been pwned. You can read more here: https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity [troyhunt.com]
(Score: 1, Interesting) by Anonymous Coward on Thursday June 13 2019, @12:58PM (1 child)
Unrelated to the security of the service I find the following information interesting:
The very fact that the prefix "00000" is most frequent actually makes me wonder if this indicates a weakness of that hash (the probability of that happening by chance is about 10-12, that is less likely than winning the lottery jackpot two times in a row [I've taken the German "Lotto" for the comparison, but I guess most lotteries are in similar probability ranges]).
(Score: 0) by Anonymous Coward on Friday June 14 2019, @05:15AM
I'm wondering what statistical analysis you did to confirm that. Sure it is 106 more than the mean, but the smallest was 97 less. They could both be well within the distribution, given that there are 16^5 possible buckets for the hashes to fall into; especially since he didn't give the stdev in the original post
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @06:53PM (1 child)
If you already have a reason to visit the site to check if you have been pwned, why don't you just change your password instead.
(Score: 2) by Bot on Thursday June 13 2019, @10:37PM
I would also add: troy hunt is quite the name for a security researcher, is his real name dimitri or wang?
Account abandoned.
(Score: 3, Funny) by EJ on Thursday June 13 2019, @09:07AM
If the sale goes through, the buyer will have a very easy time maintaining the site going forward.
Once Troy passes the site and all its data to the new owners, the new owners just need to redirect all traffic for haveibeenpwned.com to yes.com.
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @09:48AM
This would be a good buy for respectable security company like certain antivirus companies (one of which starts with an "F" would be my preferred choice)
(Score: 3, Funny) by Gaaark on Thursday June 13 2019, @10:11AM
SN has over $400 in the stretch goal....think it'll be enough?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Thursday June 13 2019, @11:08AM
What kind of human organization could ensure that this key service for internet function will not be used to further the security breaches that make it necessary?
corporation - no
corrupt government - no
TLA - no
non-profit controlled by corporations - no
rotary club infiltrated by all of the above - no
individual - too much work keeping track of how much the above organizations are ruining the internet
What can be a source of credibility on the internet, rather than a force destroying credibility on the internet?
If it has not yet occurred to you, all large human institutions are working to prevent credibility for anyone but them, it.
This is a struggle between The Individual and Organizations, and Organizations want no Individual to ever have credibility against them.
One person to try that was just carried out of an embassy illegally. Another is in exile. Another died early of rare cancer in cuba. Another disappeared in Norway. The list goes on.
At least we know all the money we Individuals pay for defense isn't protecting us but rather the opposite, so maybe we should stop paying for the privilege.