Troy Hunt Puts Have I Been Pwned Up For Sale

Troy Hunt, inventor and operator of the popular security website Have I Been Pwned (HIBP), is putting the service up for sale.

Hunt, a Microsoft Regional Director and MVP for security, created the site in 2013 after Adobe leaked 153 million usernames and weakly encrypted passwords. Users can enter an email address and discover if it is included in the exposed data. You can also enter a password to see if it features in a data breach.

The site was soon extended with data from other breaches and now contains nearly 8 billion records. HIBP publishes an API which gets over 12 million hits a day, most of them checking whether a password is safe to use. Mozilla's Firefox is one of a number of products that integrates with the API to help users choose strong passwords. Commercial subscribers, governments and law enforcement agencies use the service too.

Hunt said in today's announcement that "to date, every line of code, every configuration and every breached record has been handled by me alone. There is no 'HIBP team', there's one guy keeping the whole thing afloat."

Common passwords have been leaked, this one over 1 million times

Common passwords have been leaked, this one over 1 million times

He said that maintaining the site has been stressful and has taken him close to burnout. He believes it is time to put the business up for acquisition, which he is doing with KPMG.

The acquisition project is called Project Svalbard, in tribute to a Norwegian effort to store a vault of seeds to protect against future loss. "It sounds like a befitting name, beginning with the obvious analogy of storing a massive quantity of 'units'," Hunt said.

The question everyone will be asking: will the service get worse? Hunt said he will remain part of HIBP and that consumer searches will still be free. The idea is that a bigger organisation will enable him to build out more capabilities.

He also wants to put more effort into changing the behaviour of both individuals and organisations, in respect of their poor security practices.

Hunt has fallen behind, he said, on responsible disclosure – informing organisations that they have been breached. This he called "massively burdensome".

When will it happen? No hurry, said Hunt. "I'm not under any duress (not beyond the high workload, that is) and I've got time to let the acquisition search play out organically and allow it to find the best possible match for the project."

But he does not want to lead a new nonprofit even with sponsorship from other companies, believing that this would increase rather than reduce the stress he is under.

The site performs an excellent, though dispiriting, service. Those of us who have had active email accounts for many years are likely to feature multiple times in the HIBP database. Your correspondent's, for example, is in 20 data breaches including Adobe, Bit.ly, Creative, Disqus, Dropbox, Kickstarter, Last.fm, MySpace and vBulletin, as reported by HIBP.

Sane security today means unique passwords for every site and a password manager, along with other strategies like multi-factor authentication, but take-up is weak as data from services like Microsoft's Office 365 demonstrates.®