2025-07-28 18:37:36
This will be the title of the blog post: "Court Injunctions are the Thoughts and Prayers of Data Breach Response". It's got a nice ring to it, and it resonates so much with the response to other disasters where the term is offered as a platitude that has absolutely no practical benefit at all. You know, like the Qantas injunction to prevent data from their breach being examined by other parties. So, whilst it means journos won't be poring over it (and we won't be loading it into HIBP), criminals will pay no attention to it whatsoever. More to come in the forthcoming blog post.
2025-07-22 17:58:19
I often wonder how much people in other professions genuinely love the industry they're in to the point that they'd do it regardless of the money. I'm sure there are examples, but I wonder how many lawyers look forward to doing something in the legal space on their weekend, or a shoe salesman wanting to, well, it's hard to imagine anything too exciting there. For me, it's stuff like this:
Rack upgrade day! Some new @Ubiquiti goodness to consolidate things, pics and details coming… pic.twitter.com/hRrFFUBKch
— Troy Hunt (@troyhunt) July 17, 2025
One of *the* coolest things we’ve 3D printed with our @Prusa3D is a hydroponics tower. That’s 3 weeks from the first 2 pics to the last, from tiny plants to eating out of our back yard 😮 pic.twitter.com/I5nZtkHFyS
— Troy Hunt (@troyhunt) May 14, 2024
And for the next bit of my IoT buildout - @home_assistant! pic.twitter.com/kEoQBEt7AW
— Troy Hunt (@troyhunt) May 29, 2020
That's "downtime" between coding - playing with the network, 3D printing random stuff and descending down the bottomless rabbit hole that is IoT. That's the fun stuff! To be fair, I also love watersports, playing tennis, fitness, cooking, travel and other "normal" stuff too, the point is that to me, technology was a passion before it was a career. It's been that way for most of my life:
This is me, 32 years ago, a 16 year old in 1992 trying to make some cash. Worked out good in the long run 😊 pic.twitter.com/xOfsrwdRCK
— Troy Hunt (@troyhunt) July 2, 2025
To the point of the blog post, this month marked the beginning of my 10th and 11th years as a Microsoft Regional Director (a biennial award), and the 15th year of being a Microsoft Most Valuable Professional. These are not titles people set out seeking, and most of my peers who have been awarded them are like me in that they simply did things they loved, shared them with the community, and were then recognised for their efforts. And that, to me, remains at the heart of these programs: doing what you love and sharing the journey. Thank you to everyone who has joined me along the way.
And suddenly, as I finish writing this, I recall all the times as a kid when my airline pilot father would spend his weekends building radio-controlled model planes. Maybe this is all a hereditary thing 😊
2025-07-21 16:24:46
If I'm honest, I was never that keen on a merch store for Have I Been Pwned. It doesn't make the code run faster, nor does it load any more data breaches or add any useful features to the service whatsoever. But... people were keen. They wanted swag they could wear or drink from or whatever, and it's actually pretty cool that there's excitement about HIBP as a brand. Plus, setting up a merch store is easy, right?
To cut to the chase, we set up a store on Teespring and they've been an absolute bloody disaster. Like, appalling bad to the point where we began to wonder if they're even legitimate, and I wish we had found a blog post like this before entrusting them with our brand. Initially, it was just dumb stuff like this:
FFS @teespringcom 🤦♂️ So far finding their support just appealing incompetent, this is regarding the @haveibeenpwned merch store, check out the canonical link: https://t.co/uHBeTlI1yU pic.twitter.com/nJBTGfCrqg
— Troy Hunt (@troyhunt) June 2, 2025
I mean, really dumb:
<link rel="canonical" href="https://0.0.0.0:3000" />So, everyone who visited the store and tried to share it via a mobile device was sending that address, and Teespring's response was that people should just manually copy and paste the URL! I stand by my reactions in that tweet - FFS 🤦♂️
Or on a similar note of technical incompetence, they were completely unable to add me to our store as an admin:
For those that come later and consider @teespringcom, don't even think about it! I've been trying to join the store @Charlotte_Hunt_ set up for us for 4 weeks ago now and the invite just gives a JSON response about failed CAPTCHA every time. Support is completely useless 😡 pic.twitter.com/d4EH6nC5O2
— Troy Hunt (@troyhunt) June 9, 2025
That support thread spanned from the 16th of May to the 12th of June and culminated in:
At this time, I still don’t have any updates from the Tech team. I understand this isn’t the resolution you were hoping for, and I sincerely apologize for the inconvenience and the delay.
And that's just the technical examples. The real pain came once we ordered merch, here's the timeline:
It's not just us either; not only have I not seen a single "hey, check out my cool HIBP merch" social post, I have received messages like this:
So, onto that dispute and believe it or not, this is the first time I've ever lodged a one. Turns out it's really simple, and I'd like to show everyone who made a purchase through the Teespring store just how easy it is. Firstly, I found the transaction on my Amex card:
That record had an option to submit a dispute which then allowed me to choose a reason:
A few little questions in between (dates, attempts to contact them, etc), and we're done:
And just like that, Teespring suddenly found the ability to reply to support queries again!
We noticed a dispute was recently submitted for your transaction related to order #[reacted], with the reason noted as PRODUCT_NOT_RECEIVED. We wanted to reach out directly to better understand the situation and see how we can assist.
That came through yesterday, the 20th of July. As I think I've done a pretty decent job of outlining the situation in this blog post, we'll be sending them a link to it and following through with the dispute. Raising a dispute with your card provider not only returns the funds to your account, but it also levies a fee on the merchant, which in this case, seems entirely deserved.
I sincerely apologise to the HIBP supporters who trusted us enough to go to the merch store and make a purchase. This experience seriously sucks and should never have happened. I'll update this post with any further feedback I get from Teespring or Amex.
Onto more positive things, and an opportunity did arise out of Teespring's incompetence:
Happy to help you switch to Fourthwall. Shoot me a DM and we’ll move everything over for you
— Will Baumann (@dubbaumann) June 3, 2025
Usually, I'd be reluctant to respond to someone jumping in on a thread and pitching their product, but hey, we were desperate! And it turns out that Fourthwall is pretty awesome because people there actually talk to you and get stuff done 🙄 I mean, properly done:
We’ve got @haveibeenpwned merch! Arrived a little while ago and finally got into it today, we’ll keep adding more stuff to the store based on demand: https://t.co/uHBeTlI1yU pic.twitter.com/dQW7dcM0Ey
— Troy Hunt (@troyhunt) July 21, 2025
We ordered it on 2 July and received part of the order in Australia on 7 July, and the other part on 18 July. That's 5 and 16 days (both of which exceeded their estimate of 21-24 July), whilst the Teespring order was lodged 63 days ago 🤷♂️
So, check out merch.haveibeenpwned.com and have confidence that you will actually get what you order. Please leave a comment below if there's anything else you'd like to see in the store, and don't forget to pick up some nice thongs for yourself some nice thongs!
2025-07-20 15:04:25
The Stripe situation is frustrating: by mandating an email address on all invoices, we're providing a channel that sends customer queries directly through to us rather than via our support portal, which already has the answers many people are raising tickets for. It's frustrating because it slows our customers down (they need to wait for us to respond), and it's also frustrating because we have to respond (and we're swamped as it is). I go into more detail in the video but at this stage, it looks like the only way out is to create a do_not_email@ alias, which people will inevitably email anyway, and then auto-respond to that with a link to the support portal. C'mon Stripe, fix this thing!
2025-07-17 04:54:38
One of the greatest fears we all have in the wake of a data breach is having our identity stolen. Nefarious parties gather our personal information exposed in the breach, approach financial institutions and then impersonate us to do stuff like this:
So I recently somewhat had my identity stolen, someone used my driver's license to open about 10 different bank accounts across 6 Banks.
This was the message I received from a friend of mine just last week, and he was in a real mess. The bad guys had gotten so far into his real-life identity that not only were there a bunch of bank accounts now in his name, he was even having trouble proving who he was. Which makes sense when you think about it: once someone has the data attributes you use to verify your identity, how does a bank know that you're the real you? Like I said, it was a real mess, and he only found out about it after a lot of damage had already been done.
Which brings me to identity protection and, more specifically, Aura. I've known the folks there for years, and they were a sponsor of this blog for half a dozen weeks back in 2023. Their remit is to protect people from precisely the sort of outcomes my friend above suffered. They pride themselves on responding to fraud events super fast, providing 24/7 US-based customer support (that alone makes a massive difference), and even providing $1M American dollars in identity theft insurance. The US emphasis there is because, like Truyu who we recently onboarded to help Aussies, Aura is a geo-specific service and in this case, is there to help our friends in the US. As such, if you're coming to HIBP from that part of the world you'll see them appear in your dashboard and on the breach-specific pages:
Aura is there right alongside 1Password; two different companies offering two of the most valuable services to help protect you both before and after a data breach. And if you "Try Aura" per the link above, you'll land on their dedicated Have I Been Pwned page which provides you with a tasty discount.
Aura is a perfect example of the partnerships we've sought out to help make a positive difference to data breach victims, so a big welcome and thank you for providing the service they do.
2025-07-13 10:32:08
This week's update is the last remote one for a while as we wind up more than a month of travel. I'm pushing this out just before we jump on the Qantas plane home... right after they've advised just how much of my data was impacted by their breach. That got me thinking in this week's video: what type of "third-party service" would expose those classes of data? My bet is on a party dealing with frequent flyers, perhaps a call centre or other processor responsible for managing their reward program. Hopefully, investigations will lead to transparency, and we'll find out, but I wouldn't be holding my breath on that timeline. For now, here are my thoughts:
