Needs support. Troy Hunt puts popular security website up for sale as admin and coding take him close to burn-out
Australian security researcher Troy Hunt has placed his hugely popular security website ‘Have I Been Pwned‘ (HIBP) up for sale.
Hunt revealed that he is the sole person responsible for the coding and administration of the data breach checking website, and that running it at times has left him close to burn-out.
The HIBP website is a well known source in security circles as a simple location for people to check if their personal data had been compromised by any data breaches.
Hunt said he created the website after Adobe leaked 153 million usernames and weakly encrypted passwords back in 2013.
The HIBP website can be used by anyone who can enter an email address and discover if it is included in the exposed data. Users can also enter a password to see if it features in a data breach.
This time last year for example Mozilla ingegrated the HIBP website with its Firefox web browser.
The Mozilla concept made it possible to make breach data searchable for Firefox users, via a tool called “Firefox Monitor”. Until that happened, Firefox users had to rely on notifications by particular vendors or by media reports, if their personal data has been compromised.
Over the years since its creation, the HIBP website has grown and grown, and Hunt explained in a blog posting that the website has almost 8 billion breached records, and there are nearly 3 million people subscribed to notifications.
“I’ve emailed those folks about a breach 7 million times, there are 120k people monitoring domains they’ve done 230k searches for and I’ve emailed them another 1.1 million times,” Hunt explained. “There are 150k unique visitors to the site on a normal day, 10 million on an abnormal day, another couple of million API hits to the breach API and then 10 million a day to Pwned Passwords. Except even that number is getting smashed these days.”
Hunt said that there infosec companies using the website, and government “around the world using it to protect their departments, the law enforcement agencies leveraging it for their investigations and all sorts of other use cases I never, ever saw coming.”
But it has got too much for just one man to deal with and manage on a daily basis.
“And to date, every line of code, every configuration and every breached record has been handled by me alone,” Hunt wrote. “There is no ‘HIBP team’, there’s one guy keeping the whole thing afloat.”
“Each and every disclosure to an organisation that didn’t even know their data was out there fell to me (and trust me, that’s massively time-consuming and has proven to be the single biggest bottleneck to loading new data),” Hunt wrote. “Every media interview, every support request and frankly, pretty much every single thing you could possibly conceive of was done by just one person in their spare time. This isn’t just a workload issues either; I was becoming increasingly conscious of the fact that I was the single point of failure. And that needs to change.”
Hunt explained how he was still being bombared by huge numbers of email, even when he was “hanging out with my 9-year old son and good friends in a log cabin in the Norwegian snow.”
“At that moment, I realised I was getting very close to burn-out. I was pretty confident I wasn’t actually burned out yet, but I also became aware I could see that point in the not too distant future if I didn’t make some important changes in my life,” said Hunt.
Hunt said that because of this he has teamed up with KPMG to help deal with the financial stuff to do with the sale, and he has named the sell-off as ‘Project Svalbard’, named after the massive repository of seeds stored up in the Arctic Circle (Norway actually).
Hunt has pledged that no matter who purchases the website, he intends to continue the freely available consumer searches.
He said he will remain part of HIBP and he wants to expand some of the website capabilities and reach a larger audience.
He also hopes the website will help change consumer behaviour (reusing passwords etc), and will improve its responsible disclosure duties.
“HIBP may only be less than 6 years old, but it’s the culmination of a life’s work,” said Hunt. “I had a few false starts along the way and it took a combination of data breaches, cloud and an independent career that allowed me the opportunity to make HIBP what it is today, but it’s finally what I’d always hoped I’d be able to do. Project Svalbard is the realisation of that dream and I’m enormously excited about the opportunities that will come as a result.”
Quiz: Are you a security pro?