Have I Been Pwned has become a popular tool to find out whether or not you have been involved in a data breach, and after starting life as a one-man-band project, may soon be on the acquisition books.
The data breach search engine is the brainchild and life’s work of Troy Hunt, an acclaimed cybersecurity expert.
The HIBP website was launched in 2013 following a massive data breach at Adobe which led to the exposure of over 150 million user records and was designed to allow non-technical people to type in their email address and easily find out if their information was leaked or exposed in a security incident.
Given this information, users can then be made aware of any potential for identity theft, as well as make sure they are not using the same account credentials across multiple services.
Since this time, Have I Been Pwned has grown in popularity and has evolved from a single-use tool to also include a recent data breach notification system and domain monitoring.
According to a blog post published on Tuesday, the service is now able to check close to eight billion breached records, almost three million people are subscribed to notifications, seven million emails have been sent so far to notify users of a breach, 120,000 individuals are monitoring domains, and the website caters for roughly 150,000 visitors on a normal day — and up to ten million on an abnormal day, such as when a significant data breach has been publicly disclosed.
That is a lot for one operator to handle.
“To date, every line of code, every configuration and every breached record has been handled by me alone,” Hunt says. “There is no “HIBP team”, there’s one guy keeping the whole thing afloat.”
It is not just current time constraints that have become a problem. With everything from infosec companies to government organizations and individuals relying on data breach notifications from Have I Been Pwned, the security expert says he realized he had become ‘the single point of failure, and that need[ed] to change.”
In other words, Hunt says, it’s time for the service to “grow up.”
“It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own,” Hunt added.
To achieve this goal, Hunt has had a few informal conversations with organizations that may be interested in acquiring the data breach search engine. This eventually led to a discussion with KPMG’s Mergers and Acquisition (M&A) arm.
After dubbing the acquisition scheme Project Svalbard — in deference to the seed repository in the Arctic — Hunt says he has a few stipulations in mind that potential purchasers should adhere to.
TechRepublic: Stop ignoring hybrid cloud security risks
The first, unsurprisingly, is that consumers should be able to search for their data for free, and Hunt himself also intends to stay involved in HIBP. It is hoped that in the future, HIBP will reach a wider audience, more data breaches will be disclosed, and the organization will be able to assist in changing poor consumer security habits such as the re-use of passwords across multiple services.
Hunt says there is a “solid selection” of organizations that could be purchasers and interested stakeholders have already been contacted over HIBP’s future. KPMG will be holding his hand throughout the process, which is currently at a stage where “really productive discussions” are in play.
“HIBP may only be less than six years old, but it’s the culmination of a life’s work,” Hunt says. “I had a few false starts along the way and it took a combination of data breaches, cloud and an independent career that allowed me the opportunity to make HIBP what it is today, but it’s finally what I’d always hoped I’d be able to do. Project Svalbard is the realization of that dream and I’m enormously excited about the opportunities that will come as a result.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
READ MORE HERE