I'm home! Well, for a day, then it's off to the other side of the country (which I just flew over last night on the way back from Dublin 🤦‍♂️) for an event at the Microsoft Accelerator in Perth on Monday. Such is the path we've taken, but it does provide some awesome opportunities to meet up with folks around the world and see some really interesting stuff. Come by if you're over that way or if you're on the east coast of Aus, I'll be at NDC Melbourne only a couple of weeks later. And somewhere in the midst of all that, we'll get this HIBP UX rebuild finished...

References

1. Sponsored by: Malwarebytes Browser Guard blocks phishing, ads, scams, and trackers for safer, faster browsing
2. I'm speaking at the Microsoft Student Accelerator in Perth on Monday (it's free, and you don't need to be a student 🙂)
3. We're going to incorporate some more partners into HIBP where they can offer useful services to data breach victims (the thinking is that they'll appear on the dedicated breach page where they can offer something useful as it relates to that specific incident)
4. The HIBP UX rebuild repo is tracking everything we're doing (chime in on the discussions or submit any issues you find)

After an unusually long day of travelling from Iceland, we've finally made it to the land of Guinness, Leprechauns, and a tax haven for tech companies. This week, there are a few more lessons from the successful phish against me the previous week, and in happier news, there is some really solid progress on the HIBP UX rebuild. We spent a bunch of time with Stefan and Ingiber (the guy rebuilding the front end) whilst in Reykjavik and now have a very clear plan mapped out to get this finished in the next 6 weeks. More on that in this week's update, enjoy!

References

1. Sponsored by: Malwarebytes Browser Guard blocks phishing, ads, scams, and trackers for safer, faster browsing
2. Silent Push has done some great analysis on the source of my phish (they've linked it similar attacks against SendGrid and Mailgun accounts, among others)
3. Every outstanding HIBP UX rebuild task is now on public display (we're targeting 17 May to complete all this and roll out the new site)

Well, this certainly isn't what I expected to be talking about this week! But I think the fact it was someone most people didn't expect to be on the receiving end of an attack like this makes it all the more consumable. I saw a lot of "if it can happen to Troy, it can happen to anyone" sort of commentary and whilst it feels a bit of obnoxious for me to be saying it that way, I appreciate the sentiment and the awareness it drives. It sucked, but I'm going to make damn sure we get a lot of mileage out of this incident as an industry. I've no doubt whatsoever this is a net-positive event that will do way more good than harm. On that note, stay tuned for the promised "Passkeys for Normal People" blog post, I hope to be talking about that in next week's video (travel schedule permitting). For now, here's the full rundown of how I got phished:

References

1. Sponsored by: Malwarebytes Browser Guard blocks phishing, ads, scams, and trackers for safer, faster browsing
2. I obviously didn't like being on the receiving end of this, but I reckon 34 minutes from pwned to public disclosure is a new record 😊 (this is what I'm going to be driving organisations towards in many future data breach cases)
3. Despite me falling for something I should have spotted, the public response and press had been outstandingly positive (that's a piece from this week's sponsor, I felt their writeup summed things up nicely)

It's time to fly! 🇬🇧 🇮🇸 🇮🇪 That's two new flags (or if you're on Windows and can't see flag emojis, that's two new ISO codes) I'll be adding to my "places I've been list" as we start the journey by jetting out to London right after I publish this blog. If you're in the area, I'll be speaking at Oxford University on Wednesday at 17:00 and that's a free and open event. And since recording this morning, we have managed to confirm that I will be speaking at a community event in Reykjavik the following Monday morning, and you'll see a link on my 2025 events page as soon as they make one available. No public events planned for Ireland yet, but if you're in Dublin and would like to run something the week after I'm in Iceland, get in touch. Just to round out a big schedule, I'll be back in Aus speaking in Perth at Microsoft's Student Accelerator on 14 April and then it's off to NDC Melbourne shortly after that for a talk on the 30th. Then rest 🙂

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. Cloudflare has found almost half of the passwords people use on their customers' sites are compromised (but somehow, that's not the story that got many people's attention)
3. Cloudflare's stats were gathered via their leaked credential detection service (one of the sources they use for this is Have I Been Pwned's Pwned Passwords)
4. And no, a password alone is not personally identifiable information (yes, that's an AI-generated response because, no, you can't find any reference whatsoever to a password being PII in any formal gov docs)
5. The Lexipol breach went into HIBP (apparently it was carried out by "Puppygirl Hacker Polycule", who'd have thunk it?!)
6. SpyX also went in (Zack reckons this is the 25th spyware service to be breached since 2017)
7. We're smashing out front end work for the HIBP UX rebuild (go and check out that repo, submit issues and join in on the discussion, we'd love your input)

What an awesome response to the new brand! I'm so, so happy with all the feedback, and I've gotta be honest, I was nervous about how it would be received. The only negative theme that came through at all was our use of Sticker Mule, which apparently is akin to being a Tesla owner. Political controversy aside, this has been an extremely well-received launch and I've also loved seeing the issues raised on the open source repo for the front end and Ingiber's (near instant!) addressing of each and every one of them. Please keep that feedback coming, and I'll talk more about some of the changes we've made as a result in the next weekly update.

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. We've open sourced the repo with the front end dev work (please feel free to raise issues, chime in on the discussion and submit PRs)
3. Every commit we make to the above repo is pushed out to a static site at preview.haveibeenpwned.com (remember - it's static - this is front end stuff only)
4. We're pushing to the preview site using Cloudflare Pages (this is such a cool, easy way of deploying code)
5. We've made the stickers available via a Sticker Mule store (there's no markup on these, just get 'em at cost)
6. We've also put the stickers, 3D models and other visual assets in the open source branding repo (especially handy if you want to get stickers made at a place that aligns to your political preference 😝)

We survived the cyclone! That was a seriously weird week with lots of build-up to an event that last occurred before I was born. It'd been 50 years since a cyclone came this far south, and the media was full of alarming predictions of destruction. In the end, we maxed out at 52kts just after I recorded this video:

It’s here. But 47kts max gusts isn’t too bad, nothing actually blowing over here (yet). pic.twitter.com/qFyrZdiyRW

— Troy Hunt (@troyhunt) March 7, 2025

We remained completely untouched and unaffected beyond needing to sweep up some leaves once the rain (which has also been unremarkable), finally stops. It appears the worst damage has been a lot of homes without power and perhaps most obviously, the beaches have done a complete vanishing act with all the sand:

What our favourite beach is like today, versus before. They’ll rebuild it, this isn’t unprecedented, but yeah, there’s some work to be done now. pic.twitter.com/6zFMG7bZqK

— Troy Hunt (@troyhunt) March 8, 2025

But hey, everyone is fine (not just us, the whole city AFAIK), so that's a good outcome. Back on topic, here's this week's video:

References:

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. We're filling in the gaps of the stealer logs that have come before, and doing our best to clean everything up a bit while we're there (but we're never going to have totally "clean" data: GIGO)
3. Someone tried to phish a PayPal OTP from me and instead faced some great trolling by Elle (so proud 🥲)
4. Someone also tried to phish my X credentials from me (that one really took some thinking to emphatically put it in the "phish" box)

Processing data breaches (especially big ones), can be extremely laborious. And, of course, everyone commenting on them is an expert, so there's a heap of opinions out there. And so it was with the latest stealer logs, a corpus of data that took the better part of a month to process. And then I made things confusing in various ways which led to both Disqus comment and ticket hell. But hey, it's finally out and now it's back to normal breach processing for the foreseeable future 🙂

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. I trawled through 23 billion stealer logs to get a 284M breached email addresses into HIBP (and learned that explaining this concept clearly is hard!)
3. Apple is pulling support for their Advanced Data Protection E2E offering (but will the status quo change before they force existing users to disable it?)
4. Spyware / stalkerware apps Cocospu and Spyic leaker their data for all to see (and since that recording, Spyzie has also been added to the list)
5. The Zimi Senoa IoT switches are beautiful... (...but I think that Bluetooth mesh via a proprietary hub is going to be a show-stopper)

Wait - it's Tuesday already?! When you listen to this week's (ok, last week's) video, you'll probably get the sense I was a bit overloaded. Yeah, so that didn't stop, and the stealer log processing and new feature building just absolutely swamped me. Plus, I spent from then until now in Sydney at various meetings and events which was great, but didn't do a lot for my productivity. Be that as it may, we're now less than 12 hours off launching this all so, in the interests of not having me stay up all night putting the finishing touches on it, let me drop here and come back in a few days to talk about how it's all been received 🤞

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

We're now eyeball-deep into the HIBP rebrand and UX work, totally overhauling the image of the service as we know it. That said, a guiding principle has been to ensure the new looks is immediately recognisable and over months of work, I think we've achieved that. I'm holding off sharing anything until we're far enough down the road that we're confident in the direction we're heading, and then I want to invite the masses to contribute as we head towards a (re)launch.

Whilst I didn't talk about it in this week's video, let me just recap on why we're doing this: the decisions made for a pet project nearly 12 years ago now are very different to the decisions made for a mainstream service with so many dependencies on it today. We're at a point where we need more professionalism and cohesion and that's across everything from the website design and content, the branding on our formal documentation, the stickers I hand out all over the place, the swag we want to make and even the signatures on our emails. Our task is to keep the heart and soul of a humble community-first project whilst simultaneously making sure it actually looks like we know what we're doing 🙂

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. Authorised access by DOGE employees is not a data breach (no, not even if you really, really, really don't like Donald and Elon)
3. The HIBP rebrand is now a long way through, and we'd love to hear your ideas (it's not just the look and feel, I want to get a lot more functionality in there)
4. The latest Zacks breach went into HIBP (that's right, this isn't their first rodeo)
5. Apparently, our discussion about possibly banning resellers is newsworthy (and this isn't a done deal yet, we are also looking at the feasibility of automating away the pain)

It's IoT time! We're embarking on a very major home project (more detail of which is in the video), and some pretty big decisions need to be made about a very simple device: the light switch. I love having just about every light in our connected... when it works. The house has just the right light early each morning, it transitions into daytime mode right at the perfect time based on the amount of solar radiation in the sky, into evening time courtesy of the same device and then blacks out when we go to bed. And some lights come on with movement based on motion sensors in fans (Big Ass fans have occupancy sensors), cameras (Ubiquiti camera raise motion events), and tiny dedicated Zigbee sensors. But getting the right physical switches in combination with the right IoT relays has been a bit more challenging. Listen to this week's show let me know if you have any "bright" ideas 🙂

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. Light switches, IoT relays and other complex discussions about simple circuits (it's such a critical component of the house, especially when you replicate the model >100 times over)
3. Apparently, the YubiKey phish wasn't a phish (seriously folks, if I can't tell when comms is legit or not, how are the normies expected to get it right?!)
4. The ABC's analysis of 4-digit PINs in HIBP is really well done! (although I did spend way too much time explaining to other journalists how there are only 10,000 possible values 🤔)
5. The HIBP Grafana dashboard is looking epic! (although I may be blowing way more time on it than anyone could reasonably justify...)

We're heading back to London! And making a trip to Reykjavik. And Dublin. I talked about us considering this in the video yesterday, and just before publishing this post, we pulled the trigger and booked the tickets. The plan is to pretty much repeat the US and Canada trip we did in September and spend the time meeting up with some of the law enforcement agencies and various other organisations we've been working with over the years. As I say in the video, if you're in one of these locations and are in a position to stand up a meetup or user group session, I'd love to hear from you. Europe is a hell of a long way to go so we do want to make the most of the travel, stand by for more plans as they emerge.

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. The HIBP "Wall of Graphs" looks awesome! (I'll blog it up, but there's more to be done first)
3. Spamming ~500 companies attempting to look for bug bounties is muppet behaviour (all whilst putting them on CC too 🤦‍♂️)
4. Despite a couple of dissenting voices re the muppet characterisation, 84.5% of people agreed with my description (or in other words, 15.5% of people were completely wrong)

If I'm honest, I was in two minds about adding additional stealer logs to HIBP. Even with the new feature to include the domains an email address appears against in the logs, my concern was that I'd get a barrage of "that's useless information" messages like I normally do when I load stealer logs! Instead, the feedback was resoundingly positive. This week I'm talking more about the logic behind this, some of the challenges we faced with it and what we might see in the future. Stay tuned, because I think we're going to be seeing a lot more of this in HIBP.

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. For the first time ever, we added a heap of additional info about stealer logs to HIBP (ok, it's just the domains an address appears against, but that turns out to have been really useful)

It sounds easy - "just verify people's age before they access the service" - but whether we're talking about porn in the US or Australia's incoming social media laws, the reality is way more complex than that. There's no unified approach across jurisdictions and even within a single country like Australia, the closest we've got to that is a government scheme usually intended for accessing public services. And even if there was a technically workable model, who wants to get either the gov or some big tech firm involved in their use of Instagram or Pornhub?! There's a social acceptance to be considered and not only that, circumvention of age controls is very easy when you can simply VPN into another jurisdiction and access the same website blocked in your locale. Or in the case of the adult material, I'm told (🤷‍♂️) there are many other legally operating websites in other parts of the world that are less inclined to block individuals in specific states from foreign countries. There'll be no easy solutions for this one, but it'll make for an entertaining year 😊

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. My trusty Synology DS1512+ finally died after 12 years of faithful service (since recording this video, the new DS923+ arrived and migration was super smooth)
3. Pornhub addressed the age verification mandate from a bunch of US states by simply... blocking them (I wonder if there's a way around that...)
4. Proton VPN has seen a "massive surge" in VPN signups from the US (...there we go 🙂)
5. The EFF reckons there is no effective age verification method (they also downplay the negative impacts of social media on kids, which I disagree with)
6. The Glamira data breach made it into HIBP (link through to a Reddit thread where the company acknowledged the breach last year, no word on whether they disclosed to impacted individuals)

There's a certain irony to the Bluesky situation where people are pushing back when I include links to X. Now, where have we seen this sort of behaviour before? 🤔 When I'm relying on content that only appears on that platform to add context to a data breach in HIBP and that content is freely accessible from within the native Bluesky app (without needing an X account), we're out of reasonable excuses for the negativity. And if "because Elon" is the sole reason and someone is firm enough in their convictions on that, there's a very easy solution 🙂

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. We're rebuilding the front-end of Have I Been Pwned (there's a lot of opinions on that thread!)
3. People on Bluesky are complaining about posting links to content that only exist on X (not exactly the right way to encourage use of other platforms)

I fell waaay behind the normal video cadence this week, and I couldn't care less 😊 I mean c'mon, would you rather be working or sitting here looking at this view after snowboarding through Christmas?!

Christmas Day awesomeness in Norway 🇳🇴 Have a great one friends, wherever you are 🧑‍🎄 pic.twitter.com/F2FtcJYzRC

— Troy Hunt (@troyhunt) December 25, 2024

That said, Scott and I did carve out some time to chat about the, uh, "colourful" feedback he's had after finally putting a price on some Report URI features he'd been giving away free for years. And there's more data breaches, of course, including a couple I loaded over the previous week that I think were particularly interesting. Enjoy this week's video, next week's will be a 2024 wrap-up from somewhere much, much sunnier 😎

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. After many years, Scott put a price on the free tier of Report URI (and some of the feedback he got 😲)
3. I couldn't raise Young Living Essential Oils about their data breach (and their data is spread all over a popular clear web hacking forum too)
4. The "French Citizens" data breach had Millions of French people in it... (...and a lot of other people too)

I'm back in Oslo! Writing this the day after recording, it feels like I couldn't be further from Dubai; the temperature starts with a minus, it's snowing and there's not a supercar in sight.

Back on business, this week I'm talking about the challenge of loading breaches and managing costs. A breach load immediately takes us from a very high percentage cache hit ratio on Cloudflare to zero. Consequently, our SQL costs skyrocket as the DB scales to support the load. Approximately 28 hours after loading the two breaches I mention in this week's update, we're still running a DB scale that's 350% larger than once we have a high cache hit ratio, and that directly hits my wallet. We need to work on this more because as I say in the video, I really don't like financial incentives that influence how breaches are handled, such as delaying them and bulking them together to reduce the impact of cache flush events like this. We'll give that more thought, I think there are a few ways to tackle this. For now, here's this week's video and some of the challenges we're facing:

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. Some people really don't like supercars (although I suspect it's more about not liking to see either the enjoyment others take in them or the success they may have achieved)
3. Being online means having constant attacks against your online things (but failed login attempts against my son's and my Microsoft accounts are just that - failed attempts)
4. The German electricity provider Tibber had 50k records breached (a little one, but newsworthy enough to have hit the media)
5. And the first-ever Senegalese data breach went into HIBP courtesy of Yonéma (not exactly a high cross-over with our usual subscribers, but a breach is still a breach)