Security researcher Troy Hunt revealed on Tuesday that he is planning to sell his data breach service Have I Been Pwned (HIPB).
Since Hunt created HIPB in 2013, the platform has served a significant roll in informing the public of several of the largest data breaches in recent history, by both breaking news about the hacks and allowing people to enter their email addresses to see if they were affected.
— Have I Been Pwned (@haveibeenpwned) December 4, 2013
In a blog post, Hunt explained the reasons for his decisions and hopes for the future of the platform.
“It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own,” Hunt wrote.
The blog states that HIBP now has almost 3 million subscribers for notifications, and the platform can now check about eight billion breached records. According to Hunt the site usually gets around 150,000 unique visits on a typical day, and 10 million unique visits on an “abnormal day.”
Troy wrote that traffic spiked in January when he broke the news of the behemoth “Collection #1” breach that exposed 773 million emails and 21 million passwords. Since then, the site has continued to grow and Hunt has come to the realisation he “was getting very close to burn-out.”
Now he’s ready to hand much of the workload off. Hunt said he is laying the groundwork for acquisition and has had some early talks with organisations who may be interested in acquiring HIBP.
Two blog commenters asked Hunt if Mozilla was a possible contender. “Being a party that’s already dependent on HIBP, I reached out to them in advance of this blog post and have spoken with them,” Hunt responded in the comments. “I can’t go into more detail than that just now, but certainly their use of the service is enormously important to me.”
Hunt insists that whatever happens to HIBP it will continue to allow consumers to search it for free, and Hunt will remain involved. He hopes to grow the platform so that it can help services better protect their customers, and so it can provide more disclosures. “There’s a whole heap of organisations out there that don’t know they’ve been breached simply because I haven’t had the bandwidth to deal with it all,” Hunt writes.
Hunt told Gizmodo that since he posted the blog a few organisations have reached out to him asking to be apart of the merger and acquisition process. “It’s heartening to see how much interest is out there firstly in terms of support for HIBP, but secondly because it’s going to give me the best possible selection of organisations to choose from,” Hunt told Gizmodo.
It's time for @haveibeenpwned to grow up and go beyond what I can do as one person. This has taken a lot of thought over the course of this year; here's the factors driving it, the path forward and what it means for the future. Here's Project Svalbard: https://t.co/ZeRtzfCTA2
— Troy Hunt (@troyhunt) June 11, 2019
The security researcher has been preparing for this ever since the “Collection #1” breach in January. “I’ve been agonizing over the right way to do this all year and indeed I’ve been drafting today’s blog post for most of that time,” Hunt told Gizmodo. “I’m so enormously happy with the feedback today and the ‘liked’ tweets on my profile perfectly illustrate the community sentiment. People understand the need for HIBP to grow into a more sustainable model and they see the potential in doing so.”
Hunt told Gizmodo he feels “massive relief” after posting the announcement blog. “Tonight though, I think I’ve earned myself a cold beer or two!” Hunt said.