If there’s a breach in the news and you’re worried about leaked credentials, who ya gonna call? Have I Been Pwned creator Troy Hunt, most likely.
For the past 11 years, Hunt, an Australian security researcher, has dedicated his time to running one of the most well-known online data breach notification services on the internet. While some may think that Hunt—who has logged over 845 breaches and upward of 14.5 billion “pwned” accounts on his website—may be desensitized to the breaches occurring these days, he told IT Brew that that is not often the case.
“It’s always a little bit exciting because it’s like a bit of a puzzle,” Hunt said.
IT Brew caught up with Hunt to discuss what it’s like running the 11-year-old breach website.
The conversation below has been edited for length and clarity.
What does the vetting process look like when you are trying to decide which data makes it onto the website?
There’s a combination of things. First of all, every data breach that comes to me, I’ve got to verify it and make sure it’s legitimate. Take a look at the 10 most recent breaches that are here on the website at the moment. Each one of those, I’ve had to go through and establish with sufficient confidence that this is actually a breach of that service. And then, in many cases, I’ve had to try and get in touch with the organization to disclose it. That’s the continual process I go through: spending time either trying to get in touch with an organization or very often, trying to encourage an organization to disclose because many of them just want to suppress and cover it up and that happens all the time.
What’s interesting to me is it seems like this is such a big resource that you’re working on that one would assume would be operated by the government. Instead, it is run by a regular guy that wants to alert people when their data is compromised. Does that ever strike you as strange?
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
It is weird. The funny thing is often people say, “Oh, this has become so important. It should be the government who runs it.” And I go, “Okay, which one? Which government?” This is not the sort of thing that governments are equipped to do or tasked to do. I think we’ve sort of found this nice symbiotic relationship where there’s a lot of things that we can do that support governments and their objectives. I think there’s a total of 37 different governments that publicly talk about using the service to do things like monitor their government domains. There’s many from around the world that feed data in and many others that we assist in different ways. We sort of found this really good relationship with governments and actively make an effort to spend time with them.
Are there any misconceptions people have about you or your website?
I think one of them is that we’re logging all the searches. Every now and then, I see someone pop up on social media saying, “I wouldn’t trust that site. I wouldn’t put my email address in there.” Well, you put it in Adobe, didn’t you? And LinkedIn and Dropbox, and how did that work out for you? Yeah, I think that’s kind of funny. Likewise, when people say, “My email address is sensitive private personal information.” No, it’s not. The only way it works is you give it to other people…So, I think maybe they need to sort of readjust their view of how email addresses work.