For Sale: Have I Been Pwned

By Jennings Brown on at

Security researcher Troy Hunt revealed today that he is planning to sell his data breach service Have I Been Pwned (HIPB).

Since Hunt created HIPB in 2013, the platform has served a significant role in informing the public of several of the largest data breaches in recent history, by both breaking news about the hacks and allowing people to enter their email addresses to see if they were affected.

In a blog post, Hunt explained the reasons for his decisions and hopes for the future of the platform.

“It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own,” Hunt wrote.

The blog states that HIBP now has almost 3 million subscribers for notifications, and the platform can now check about eight billion breached records. According to Hunt the site usually gets around 150,000 unique visits on a typical day, and 10 million unique visits on an “abnormal day.”

Troy wrote that traffic spiked in January when he broke the news of the behemoth “Collection #1” breach that exposed 773 million emails and 21 million passwords. Since then, the site has continued to grow and Hunt has come to the realisation he “was getting very close to burn-out.”

Now he’s ready to hand much of the workload off. Hunt said he is laying the groundwork for acquisition and has had some early talks with organisations who may be interested in acquiring HIBP.

Two blog commenters asked Hunt if Mozilla was a possible contender. “Being a party that’s already dependent on HIBP, I reached out to them in advance of this blog post and have spoken with them,” Hunt responded in the comments. “I can’t go into more detail than that just now, but certainly their use of the service is enormously important to me.”

Hunt insists that whatever happens to HIBP it will continue to allow consumers to search it for free, and Hunt will remain involved. He hopes to grow the platform so that it can help services better protect their customers, and so it can provide more disclosures. “There’s a whole heap of organisations out there that don’t know they’ve been breached simply because I haven’t had the bandwidth to deal with it all,” Hunt writes.

Hunt told Gizmodo that since he posted the blog a few organisations have reached out to him asking to be apart of the merger and acquisition process. “It’s heartening to see how much interest is out there firstly in terms of support for HIBP, but secondly because it’s going to give me the best possible selection of organisations to choose from,” Hunt told Gizmodo.

The security researcher has been preparing for this ever since the “Collection #1” breach in January. “I’ve been agonising over the right way to do this all year and indeed I’ve been drafting today’s blog post for most of that time,” Hunt told Gizmodo. “I’m so enormously happy with the feedback today and the ‘liked’ tweets on my profile perfectly illustrate the community sentiment. People understand the need for HIBP to grow into a more sustainable model and they see the potential in doing so.”

Hunt told Gizmodo he feels “massive relief” after posting the announcement blog. “Tonight though, I think I’ve earned myself a cold beer or two!” Hunt said.

Featured image: Screenshot: Have I Been Pwned