MoreRSS

site iconTroy HuntModify

Create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals.
Please copy the RSS to your reader, or quickly subscribe to:

Inoreader Feedly Follow Feedbin Local Reader

Rss preview of Blog of Troy Hunt

Weekly Update 462

2025-07-28 18:37:36

Weekly Update 462

This will be the title of the blog post: "Court Injunctions are the Thoughts and Prayers of Data Breach Response". It's got a nice ring to it, and it resonates so much with the response to other disasters where the term is offered as a platitude that has absolutely no practical benefit at all. You know, like the Qantas injunction to prevent data from their breach being examined by other parties. So, whilst it means journos won't be poring over it (and we won't be loading it into HIBP), criminals will pay no attention to it whatsoever. More to come in the forthcoming blog post.

Weekly Update 462
Weekly Update 462
Weekly Update 462
Weekly Update 462

References

  1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
  2. Qantas was granted an injunction in the wake of their data breach... (which has absolutely no effect whatsoever on criminals who want to do crime with the data)
  3. Using Teespring for our merch store has been an absolutely woeful experience (but using Fourthwall has been great!)
  4. I'm in the Microsoft MVP and RD fold for another one and two years (still a Regional Director with no region and no directing, but it's a cool program all the same 🙂)
  5. The Creams Cafe breach went into HIBP (lot of different channels tried to get in touch with them in advance, but alas...)

11 Years of Microsoft Regional Director and 15 Years of MVP

2025-07-22 17:58:19

11 Years of Microsoft Regional Director and 15 Years of MVP

I often wonder how much people in other professions genuinely love the industry they're in to the point that they'd do it regardless of the money. I'm sure there are examples, but I wonder how many lawyers look forward to doing something in the legal space on their weekend, or a shoe salesman wanting to, well, it's hard to imagine anything too exciting there. For me, it's stuff like this:

That's "downtime" between coding - playing with the network, 3D printing random stuff and descending down the bottomless rabbit hole that is IoT. That's the fun stuff! To be fair, I also love watersports, playing tennis, fitness, cooking, travel and other "normal" stuff too, the point is that to me, technology was a passion before it was a career. It's been that way for most of my life:

To the point of the blog post, this month marked the beginning of my 10th and 11th years as a Microsoft Regional Director (a biennial award), and the 15th year of being a Microsoft Most Valuable Professional. These are not titles people set out seeking, and most of my peers who have been awarded them are like me in that they simply did things they loved, shared them with the community, and were then recognised for their efforts. And that, to me, remains at the heart of these programs: doing what you love and sharing the journey. Thank you to everyone who has joined me along the way.

And suddenly, as I finish writing this, I recall all the times as a kid when my airline pilot father would spend his weekends building radio-controlled model planes. Maybe this is all a hereditary thing 😊

Good Riddance Teespring, Hello Fourthwall

2025-07-21 16:24:46

Good Riddance Teespring, Hello Fourthwall

If I'm honest, I was never that keen on a merch store for Have I Been Pwned. It doesn't make the code run faster, nor does it load any more data breaches or add any useful features to the service whatsoever. But... people were keen. They wanted swag they could wear or drink from or whatever, and it's actually pretty cool that there's excitement about HIBP as a brand. Plus, setting up a merch store is easy, right?

To cut to the chase, we set up a store on Teespring and they've been an absolute bloody disaster. Like, appalling bad to the point where we began to wonder if they're even legitimate, and I wish we had found a blog post like this before entrusting them with our brand. Initially, it was just dumb stuff like this:

I mean, really dumb:

<link rel="canonical" href="https://0.0.0.0:3000" />

So, everyone who visited the store and tried to share it via a mobile device was sending that address, and Teespring's response was that people should just manually copy and paste the URL! I stand by my reactions in that tweet - FFS 🤦‍♂️

Or on a similar note of technical incompetence, they were completely unable to add me to our store as an admin:

That support thread spanned from the 16th of May to the 12th of June and culminated in:

At this time, I still don’t have any updates from the Tech team. I understand this isn’t the resolution you were hoping for, and I sincerely apologize for the inconvenience and the delay.

And that's just the technical examples. The real pain came once we ordered merch, here's the timeline:

  1. 19 May: Order placed with a 3 Jun to 11 Jun delivery timeframe
  2. 20 May: We're advised that the order is "in production" (the status has not changed at the time of writing)
  3. 29 Jun: We lodged a complaint: "We have a bunch of fans complaining they are not getting their orders."
  4. 1 Jul: We receive a platitude response citing "unexpectedly high volume of orders"
  5. 8 Jul: Teespring advises they "recently lost one of our key print partners" and we reply the same day, cancelling the order. Their auto-reply states that "We'll get back within the next 24 business hours".
  6. 11 Jul: 3 days passed with no response, so we gave them a 24-hour deadline before lodging a dispute with the card provider, to which we received another automated response: "We'll get back within the next 24 business hours"
  7. 17 Jul: Still no feedback, so we lodge a dispute with Amex

It's not just us either; not only have I not seen a single "hey, check out my cool HIBP merch" social post, I have received messages like this:

Good Riddance Teespring, Hello Fourthwall

So, onto that dispute and believe it or not, this is the first time I've ever lodged a one. Turns out it's really simple, and I'd like to show everyone who made a purchase through the Teespring store just how easy it is. Firstly, I found the transaction on my Amex card:

Good Riddance Teespring, Hello Fourthwall

That record had an option to submit a dispute which then allowed me to choose a reason:

Good Riddance Teespring, Hello Fourthwall

A few little questions in between (dates, attempts to contact them, etc), and we're done:

Good Riddance Teespring, Hello Fourthwall

And just like that, Teespring suddenly found the ability to reply to support queries again!

We noticed a dispute was recently submitted for your transaction related to order #[reacted], with the reason noted as PRODUCT_NOT_RECEIVED. We wanted to reach out directly to better understand the situation and see how we can assist.

That came through yesterday, the 20th of July. As I think I've done a pretty decent job of outlining the situation in this blog post, we'll be sending them a link to it and following through with the dispute. Raising a dispute with your card provider not only returns the funds to your account, but it also levies a fee on the merchant, which in this case, seems entirely deserved.

I sincerely apologise to the HIBP supporters who trusted us enough to go to the merch store and make a purchase. This experience seriously sucks and should never have happened. I'll update this post with any further feedback I get from Teespring or Amex.

Onto more positive things, and an opportunity did arise out of Teespring's incompetence:

Usually, I'd be reluctant to respond to someone jumping in on a thread and pitching their product, but hey, we were desperate! And it turns out that Fourthwall is pretty awesome because people there actually talk to you and get stuff done 🙄 I mean, properly done:

We ordered it on 2 July and received part of the order in Australia on 7 July, and the other part on 18 July. That's 5 and 16 days (both of which exceeded their estimate of 21-24 July), whilst the Teespring order was lodged 63 days ago 🤷‍♂️

So, check out merch.haveibeenpwned.com and have confidence that you will actually get what you order. Please leave a comment below if there's anything else you'd like to see in the store, and don't forget to pick up some nice thongs for yourself some nice thongs!

Weekly Update 461

2025-07-20 15:04:25

Weekly Update 461

The Stripe situation is frustrating: by mandating an email address on all invoices, we're providing a channel that sends customer queries directly through to us rather than via our support portal, which already has the answers many people are raising tickets for. It's frustrating because it slows our customers down (they need to wait for us to respond), and it's also frustrating because we have to respond (and we're swamped as it is). I go into more detail in the video but at this stage, it looks like the only way out is to create a do_not_email@ alias, which people will inevitably email anyway, and then auto-respond to that with a link to the support portal. C'mon Stripe, fix this thing!

Weekly Update 461
Weekly Update 461
Weekly Update 461
Weekly Update 461

References

  1. 1Password Extended Access Management: Secure every sign-in for every app on every device.
  2. The Omnicuris breach went into HIBP (they have the data, but nothing in terms of disclosure)
  3. The MaReads breach also went in (same story - they have the data and radio silence)
  4. If you've got a Chromebook and are handy with debugging websites, help! (I still don't know what's causing this)
  5. Aura identity protection is the latest partner to join HIBP (they'll be seen by visitors from the US)

Welcoming Aura to Have I Been Pwned's Partner Program

2025-07-17 04:54:38

Welcoming Aura to Have I Been Pwned's Partner Program

One of the greatest fears we all have in the wake of a data breach is having our identity stolen. Nefarious parties gather our personal information exposed in the breach, approach financial institutions and then impersonate us to do stuff like this:

So I recently somewhat had my identity stolen, someone used my driver's license to open about 10 different bank accounts across 6 Banks.

This was the message I received from a friend of mine just last week, and he was in a real mess. The bad guys had gotten so far into his real-life identity that not only were there a bunch of bank accounts now in his name, he was even having trouble proving who he was. Which makes sense when you think about it: once someone has the data attributes you use to verify your identity, how does a bank know that you're the real you? Like I said, it was a real mess, and he only found out about it after a lot of damage had already been done.

Which brings me to identity protection and, more specifically, Aura. I've known the folks there for years, and they were a sponsor of this blog for half a dozen weeks back in 2023. Their remit is to protect people from precisely the sort of outcomes my friend above suffered. They pride themselves on responding to fraud events super fast, providing 24/7 US-based customer support (that alone makes a massive difference), and even providing $1M American dollars in identity theft insurance. The US emphasis there is because, like Truyu who we recently onboarded to help Aussies, Aura is a geo-specific service and in this case, is there to help our friends in the US. As such, if you're coming to HIBP from that part of the world you'll see them appear in your dashboard and on the breach-specific pages:

Welcoming Aura to Have I Been Pwned's Partner Program

Aura is there right alongside 1Password; two different companies offering two of the most valuable services to help protect you both before and after a data breach. And if you "Try Aura" per the link above, you'll land on their dedicated Have I Been Pwned page which provides you with a tasty discount.

Aura is a perfect example of the partnerships we've sought out to help make a positive difference to data breach victims, so a big welcome and thank you for providing the service they do.

Weekly Update 460

2025-07-13 10:32:08

Weekly Update 460

This week's update is the last remote one for a while as we wind up more than a month of travel. I'm pushing this out just before we jump on the Qantas plane home... right after they've advised just how much of my data was impacted by their breach. That got me thinking in this week's video: what type of "third-party service" would expose those classes of data? My bet is on a party dealing with frequent flyers, perhaps a call centre or other processor responsible for managing their reward program. Hopefully, investigations will lead to transparency, and we'll find out, but I wouldn't be holding my breath on that timeline. For now, here are my thoughts:

Weekly Update 460
Weekly Update 460
Weekly Update 460
Weekly Update 460

References

  1. Sponsored by: Malwarebytes Browser Guard blocks phishing, ads, scams, and trackers for safer, faster browsing
  2. The UK's NCA has picked up 4 individuals they've charged with the recent attacks on big retail (it's mostly the usual story of young guys, with one exception)
  3. Looks like a heap of data points were exposed for my personal Qantas profile (compared to other family members, that is)
  4. We've welcomed Push Security to Have I Been Pwned's partner program (they're now on the business-facing pages of the dashboard)