2026-05-18 11:46:55
It's a hot topic, the old "pay or don't pay" for hackers not to leak your data. Since recording this a few days ago, we've had Grafana go with the "no pay" approach, and I've seen a raft of commentary around other companies reaching "agreements", which is a much politer way of saying "we paid extortionists a ransom". I'm concerned about the normalisation of ransom payments, and using language that deflects from the criminal nature of it is a big part of that. Instructure's exact words were that they "reached an agreement with the unauthorised actor involved", which really waters down the severity of the whole thing. It looks like, for the time being, "pay or leak" is the new norm... along with nonsensical statements like "the data was returned to us" 🤷♂️
2026-05-14 11:49:29
Today, we welcome the 44th government onboarded to Have I Been Pwned’s free gov service: The Bahamas. The National Computer Incident Response Team of The Bahamas, CIRT-BS, now has access to monitor government domains against the data in HIBP. As the national CIRT, CIRT-BS is responsible for coordinating and supporting cybersecurity-related matters across the country, and this access will help them prevent, identify, and mitigate incidents involving compromised credentials and data exposure affecting government entities and critical stakeholders.
This is precisely the sort of use case the HIBP government service was designed for: giving national cybersecurity teams the ability to identify exposure across their own digital ecosystem, respond quickly when government accounts appear in breaches, and reduce the risk posed by reused or compromised credentials before attackers can take advantage.
CIRT-BS joins a growing list of national cybersecurity teams using HIBP to help protect government departments, public resources, critical stakeholders, and the people who keep them running.
2026-05-12 06:27:32
Today, we welcome the 43rd government onboarded to Have I Been Pwned's free gov service, Bangladesh. The BGD e-GOV CIRT department now has full access to query all their government domains via API, and monitor them against future breaches.
Bangladesh joins a growing list of national governments using HIBP to help protect their public sector digital assets, and we look forward to supporting their efforts to identify exposure of government email addresses in data breaches and respond quickly when new incidents appear.
2026-05-11 08:24:17
Today, we welcome the 42nd government onboarded to Have I Been Pwned’s free gov service: Costa Rica.
The CSIRT of the Government of Costa Rica now has access to monitor government domains against the data in HIBP. This enables their national cybersecurity incident response team to identify exposure of government email addresses in data breach, support prevention and analysis activities, and respond more quickly when new incidents appear.
Costa Rica’s CSIRT plays a national role in cybersecurity incident response, helping coordinate, analyse, and respond to threats affecting the government and the broader digital ecosystem. We’re very happy to support that mission by providing visibility into breached government accounts and helping them proactively reduce risk across public sector services.
2026-05-11 07:52:52
Well, it's the day before the Instructure "pay or leak" deadline (at least by my Aussie watch), and the company remains removed from the ShinyHunters website. In its place sits a press statement that amounts to "we're not making any statements". So did they pay? And if so, what lofty figure would an incident of this scale command? The lawsuits are already being prepared (search for "instructure class action lawsuit"), so perhaps that will be the catalyst for transparency. What a crazy time.
2026-05-06 08:14:13
It's a fascinating display of leverage: the ShinyHunters folks, with very limited resources and experience (their demographic will be teenagers to their early 20s), consistently gaining access to the data of massive brands. Not through technical ingenuity alone (although I'm sure there's a portion of that), but primarily through good ol' social engineering. That's coming through in the disclosure notices from the impacted companies, and Mandiant has a good write-up of it too:
These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes
Question now is how long their run will go for. There's a very predictable ending if things keep going in this direction but right now, they show little sign of abating.
