Have I Been Pwned (HIBP), a free online service created by Troy Hunt that enables users to check if their email address has been exposed in a data breach, celebrated its 10th anniversary earlier this week. HIBP has enabled users to see which data breaches their email addresses have been present in and take proactive steps to mitigate the risks if needed.
Over the 10 years of HIBP, Troy Hunt has amassed over 731 data breaches covering billions of records. One of the most notable incidents is the Ashley Madison breach in 2015, where attackers stole data from the service which enables affairs. The attackers behind the breach published the information, including names, emails, phone numbers and other data in an effort to shame the users. This caused significant damage to users as it exposed them to public shaming and extortion. There are many recorded incidents of people committing suicide following this breach.
Over the years, HIBP has raised ethical concerns about the handling and storing of breached data. Since this data is used in credential stuffing attacks, the security community has recognized that having a service like HIBP in a net good for everyone. When a user searches their email, they only get told what breaches they may been in. No other data is shared with the user at the time.
A few years into HIBP, Troy Hunt launched Pwned Passwords, a collection of the most common passwords that are found in breaches. The service has an endpoint that developers and security professionals can use to check if a users password is a weak or commonly used password either during account sign up or password change. Since the service relies on hashing, no part of the clear text password is sent to HIBP.
