Have I Been Pwned?

The primary function of Have I Been Pwned? since it was launched is to provide the general public with a means to check if their private information has been leaked or compromised. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. Usage of Dump Monitor In September 2014, Hunt added functionality that enabled new data breaches to be automatically added to HIBP's database. The new feature used Dump Monitor, a Twitter bot which detects and broadcasts likely password dumps found on pastebin pastes, to automatically add new potential breaches in real-time. Data breaches often show up on pastebins before they are widely reported on; thus, monitoring this source allows consumers to be notified sooner if they've been compromised. In February 2018, British computer scientist Junade Ali created a communication protocol (using k-anonymity and cryptographic hashing) to anonymously verify if a password was leaked without fully disclosing the searched password. This protocol was implemented as a public API in Hunt's service and is now consumed by multiple websites and services including password managers and browser extensions. This approach was later replicated by Google's Password Checkup feature. Ali worked with academics at Cornell University to formally analyse the protocol to identify limitations and develop two new versions of this protocol known as Frequency Size Bucketization and Identifier Based Bucketization. In March 2020, cryptographic padding was added to this protocol. == History ==

Launch In late 2013, web security expert Troy Hunt was analyzing data breaches for trends and patterns. He realized breaches could greatly impact users who might not even be aware their data was compromised, and as a result, began developing HIBP. "Probably the main catalyst was Adobe," said Hunt of his motivation for starting the site, referring to the Adobe Systems security breach that affected 153 million accounts in October 2013. Open-sourcing On August 7, 2020, Hunt announced on his blog his intention to open-source the Have I Been Pwned? codebase. Hunt started publishing some code on May 28, 2021. == Branding ==

The name "Have I Been Pwned?" uses the hacker jargon term "pwn", HIBP's logo includes the text ';--, which is a common SQL injection attack string. A hacker trying to take control of a website's database might use such an attack string to manipulate a website into running malicious code. Injection attacks are one of the most common vectors by which a database breach can occur; they are the top most common web application vulnerability on the OWASP Top 10 list. == Data breaches ==

Since its launch, the primary development focus of HIBP has been to add new data breaches as quickly as possible after they are leaked to the public. Ashley Madison In July 2015, online dating service Ashley Madison, known for encouraging users to have extramarital affairs, suffered a data breach, and the identities of more than 30 million users of the service were leaked to the public. The data breach received wide media coverage, presumably due to the large number of impacted users and the perceived shame of having an affair. According to Hunt, the breach's publicity resulted in a 57,000% increase in traffic to HIBP. Following this breach, Hunt added functionality to HIBP by which breaches considered "sensitive" would not be publicly searchable, and would only be revealed to subscribers of the email notification system. This functionality was enabled for the Ashley Madison data, as well as for data from other potentially scandalous sites, such as Adult FriendFinder. 000webhost In October 2015, Hunt was contacted by an anonymous source who provided him with a dump of 13.5 million users' email addresses and plaintext passwords, claiming it came from 000webhost, a free web hosting provider. Working with Thomas Fox-Brewster of Forbes, he verified that the dump was most likely genuine by testing email addresses from it and by confirming sensitive information with several 000webhost customers. Hunt and Fox-Brewster attempted many times to contact 000webhost to further confirm the authenticity of the breach, but were unable to get a response. On 29 October 2015, following a reset of all passwords and the publication of Fox-Brewster's article about the breach, 000webhost announced the data breach via their Facebook page. Paysafe Group In early November 2015, two breaches of gambling payment providers Neteller and Skrill were confirmed to be genuine by the Paysafe Group, the parent company of both providers. The data included 3.6 million records from Neteller obtained in 2009 using an exploit in Joomla, and 4.2 million records from Skrill (then known as Moneybookers) that leaked in 2010 after a virtual private network was compromised. The combined 7.8 million records were added to HIBP's database. VTech Later that month, electronic toy maker VTech was hacked, and an anonymous source privately provided a database containing nearly five million parents' records to HIBP. According to Hunt, this was the fourth largest consumer privacy breach to date. Miscellaneous In May 2016, an unprecedented series of very large data breaches that dated back several years were all released in a short timespan. These breaches included: • 360 million Myspace accounts from circa 2009 • 164 million LinkedIn accounts from 2012 • 65 million Tumblr accounts from early 2013 • 40 million accounts from adult dating service Fling.com These datasets were all put up for sale by an anonymous hacker named "peace_of_mind", and were shortly thereafter provided to Hunt to be included in HIBP. In June 2016, an additional "mega breach" of 171 million accounts from Russian social network VK was added to HIBP's database. In August 2017, BBC News featured Have I Been Pwned? on Hunt's discovery of a spamming operation that has been drawing on a list of 711.5 million email addresses. == See also ==