Troy HuntModify

2025-07-02 16:08:12

I'm in Austria! Well, I was in Austria, I'm now somewhere over the Aussie desert as I try and end this trip on top of my "to-do" list. The Have I Been Pwned Alpine Grand Tour was a great success with loads of time spent with govs, public meetups and users of this little data breach project that kinda escalated. As I say in the vid, I'm posting a lot more pics publicly to my Facebook page, so if you want to see the highlights, head over there. That's it for this week, it's home for a day then I'll come to you from Tokyo for the next one.

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. Have Fun Teaching was breached 4 years ago and 27k of their records are now in HIBP (they went very much "radio silence" after disclosure)
3. Robinsons Malls in the Philippines had a breach thay finally made its way into HIBP (the breach itself was back in June last year)
4. Because Teespring was frankly, appallingly bad, we have a new merch store courtesy of Fourthwall (if you ordered from Teespring and haven't received your merch, contact their support and if that doesn't work, dispute the charge with your card company)

2025-06-22 01:36:24

Firstly, apologies for the annoying clipping in the audio. I use a Rode VideoMic that's a shotgun style that plugs straight into the iPhone and it's usually pretty solid. It was also solid when I tested it again now, just recording a video into the phone, so I don't know if this was connection related or what, but I was in no position to troubleshoot once the stream had started, unfortunately.

Moving on, it's been a ridiculously hectic week of bacb-to-back events then to top it off, we've bee dealing with crazy traffic volumes on HIBP:

Well, that explains the traffic: 2.46M visitors to Have I Been Pwned in 24 hours, mostly from Google searches. The inbound traffic is near unprecedented, with only the Collection 1 credential stuffing list in Jan 2019 and the Facebook scrape in April 2021 coming close. pic.twitter.com/li7qvfy9tk

— Troy Hunt (@troyhunt) June 21, 2025

Anyway, you just can't predict these things, hope you enjoy this week's video regardless.

References

1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
2. If you want to follow along with travels, most of the pics I post these days are going to a public Facebook account (such is the fragmented social media world today)
3. Catch me in Rome next week for the DotNetCode Italy meetup (that'll be the last public event of the tour)
4. Was it really 16B passwords? (obviously this story got huge traction, let's see what the data says)

2025-06-12 17:51:21

It's time to fly! It's two months to the day since we came back from the last European trip, again spending the time with some of the agencies and partners we've fostered at HIBP over the years. This time, it's the driving tour I talked about earlier last month, and we have absolutely jam-packed it! But hey, it's a part of the world I love driving in, it's summer over there (I know, it's a bit upside-down in that half of the world), and there are lots of cool people and places to see. Interesting, Switzerland was by far the most dominant "come and say g'day" country, and we've ended up with events or meetups in Zurich, Bern and Geneva, along with invites in other places we just didn't have time to make work. But Switzerland is awesome, so perhaps that's a place for a longer stay next time with a little less grand touring. Regardless, I'll come to you with another live stream next Friday from Monaco 😎

References

1. Sponsored by: Malwarebytes Browser Guard blocks phishing, ads, scams, and trackers for safer, faster browsing
2. Catch me in Zurich on Monday (that one is courtesy of the Azure Zurich User Group)
3. And in Rome the week after (thank you DotNetCode Italy for hosting!)

2025-06-09 16:27:23

The bot-fighting is a non-stop battle. In this week's video, I discuss how we're tweaking Cloudflare Turnstile and combining more attributes around how bot-like requests are, and... it almost worked. Just as I was preparing to write this intro, I found a small spike of anomalous traffic that, upon further investigation, should have been blocked. So we've pivoted again, adding yet more logic to try and give legit humans the best experience possible whilst making it painful for the bots. Fortunately, we're doing this with resources that have minimal impact if a limited number of bot requests come through, but it does make for a challenging if not somewhat infuriating experience.

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. We've now identified the first round of partners to onboard to HIBP (these are companies that can help victims "after the breach")
3. ColoCrossing had a breach that exposed 7k customer email addresses for their cloud service (looks like this just ColoCloud)
4. We love the HIBP merch store, but Teespring's support is absolutely woeful (we'll move to an alternate provider in the very near future)
5. We're still tweaking Cloudflare's Turnstile to keep the bad guys out and the good guys in (that's a link to the HIBP homepage which we think we have dialed in pretty good now, see if you get a nice async request or a full page post-back)

2025-06-02 18:26:35

We're two weeks in from the launch of the new HIBP, and I'm still recovering. Like literally still recovering from the cold I had last week and the consequent backlog. A major launch like this isn't just something you fire and forget; instead, it takes weeks of tweaks and refinements to iron out all the little creases, both known and unpredictable. None of them have been significant, fortunately, but the more I look at it, the more I see, and the more we refine. This week, we're diving headfirst into something I'd rather avoid: wacky procurement demands. Stuff like quote generation so that you can have the same stuff as you can find on the pricing page right now, just as a PDF with your name on it 🤦‍♂️ And look, I get it - it's not the people reading this making those demands and I have tread in your shoes and felt your pain. Hopefully, sometime this week, we'll automate away both your and my pain, and that'll be a massive step forward for all of us. Stay tuned!

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. I'm coming to Zurich! (now at the correct date of June 16)
3. The Fédération Francaise de Rugby breach turned up (282k people in there, including with their DoBs for some reason 🤷‍♂️)
4. Sticking with the French theme, their "Free" ISP data popped up too (another 14M people there, also with dates of birth 🤷‍♂️)
5. And the second coming of Operation Endgame also made its way to HIBP (with support from our friends in LEA 👮)

2025-05-27 08:26:01

Well, the last few weeks of insane hours finally caught up with me 🤒 Not badly, but I evidently burned enough midnight oil to leave the immune system somewhat degraded and just after recording this video, I really didn't feel like doing much at all. Some congestion and sniffles aside, it's really not that bad, but definitely evidence of a very intense period, which thankfully, is now behind us. So, this week, let's talk about that awesome new HIBP website 😊

References

1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
2. We launched! (the end of one era, the beginning of another)
3. Cloudflare's Turnstile is protecting a bunch of features in the new HIBP site from automation (but we do need to work on the rate at which it thinks real people are bots)
4. I later put out a poll on the rate at which Turnstile was blocking access (when I speculated about 10%, I was pretty close - it's actually 8.7%)