MoreRSS

site iconTroy HuntModify

Create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals.
Please copy the RSS to your reader, or quickly subscribe to:

Inoreader Feedly Follow Feedbin Local Reader

Rss preview of Blog of Troy Hunt

每周更新 460

2025-07-13 10:32:08

Weekly Update 460

This week's update is the last remote one for a while as we wind up more than a month of travel. I'm pushing this out just before we jump on the Qantas plane home... right after they've advised just how much of my data was impacted by their breach. That got me thinking in this week's video: what type of "third-party service" would expose those classes of data? My bet is on a party dealing with frequent flyers, perhaps a call centre or other processor responsible for managing their reward program. Hopefully, investigations will lead to transparency, and we'll find out, but I wouldn't be holding my breath on that timeline. For now, here are my thoughts:

Weekly Update 460
Weekly Update 460
Weekly Update 460
Weekly Update 460

References

  1. Sponsored by: Malwarebytes Browser Guard blocks phishing, ads, scams, and trackers for safer, faster browsing
  2. The UK's NCA has picked up 4 individuals they've charged with the recent attacks on big retail (it's mostly the usual story of young guys, with one exception)
  3. Looks like a heap of data points were exposed for my personal Qantas profile (compared to other family members, that is)
  4. We've welcomed Push Security to Have I Been Pwned's partner program (they're now on the business-facing pages of the dashboard)

欢迎 Push Security 加入 Have I Been Pwned 合作伙伴计划

2025-07-10 06:50:20

Welcoming Push Security to Have I Been Pwned's Partner Program

As we gradually roll out HIBP’s Partner Program, we’re aiming to deliver targeted solutions that bridge the gap between being at risk and being protected. HIBP is the perfect place to bring these solutions to the forefront, as it's often the point at which individuals and organisations first learn of their exposure in data breaches. The challenge for corporates, in particular, is especially significant as they're tasked with protecting entire workforces, often against highly motivated and sophisticated attackers seeking to exploit organisational vulnerabilities. That's why today, I'm especially happy to welcome Push Security to the program.

Push's mandate is to "defend workforce identities in the browser" from attacks that put corporate assets at risk. Especially within the context of data breaches, this includes attacks that leverage reused credentials (which often appear in breaches), account takeovers, phishing and session hijacking. Protecting organisations directly in the browser makes a lot of sense given how many attacks originate in that environment (something I'm painfully familiar with myself), and as they're fond of saying, "Push Security is like EDR but for the browser".

Because Push is focused on business solutions, they now have placement within the business section of the HIBP dashboard, namely the overview and domains pages:

Welcoming Push Security to Have I Been Pwned's Partner Program

I'm really happy with how we've been able to position partners in a way that's contextual, relevant and non-obtrusive. We've clearly marked Push as "Sponsored" and positioned them right at the heart of where those protecting organisatoins spend their time on HIBP.

Lastly, we've also now launched a dedicated partners page, which lists each relationship we have, including Push Security:

Welcoming Push Security to Have I Been Pwned's Partner Program

Regardless of where you are in the world, you'll see each partner, the pages on which they are displayed, and any geolocation dependencies. This ensures both transparency and exposure for the organisations we've entrusted to help protect users of our service.

So, a big welcome to Push Security and one more piece in the puzzle of protecting organisations from the scourge of data breaches.

每周更新 459

2025-07-08 15:59:20

Weekly Update 459

New week, different end of the world! After a fleeting stop at home, we're in Japan for a proper holiday (yet somehow I'm still here writing this...) with the first stop in Tokyo. It's like nowhere else here, and this is now probably my 10th trip to Japan over a period of more than three decades. What I think has changed the most in terms of my perceptions of Japan is that back in the 90s, it was just so high tech here because we hadn't seen a lot of the stuff that was on the main streets of Tokyo. Now, the world is much more global; we're all using the same phones and watching the same TVs and nobody is talking about the Walkman any more. Same epic food though, and we've been smashing through some amazing dishes (full pics on Facebook). The next update will come from Kyoto before we head back to the sunny Aussie winter.

Weekly Update 459
Weekly Update 459
Weekly Update 459
Weekly Update 459

References

  1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
  2. Yet another spyware maker has had their customer data land in HIBP (I think Catwatchful is now the 9th one there)
  3. Also on Catwatchful, it looks like good old SQL injection still wreaking havoc (crazy this is still a thing)
  4. Aussie identity protection service Truyu is the first new partner to be onboarded (that is, since 1Password in 2018)
  5. Looks like I'm in yet another data breach, this time courtesy of our national airline (let's see if data appears anywhere...)

欢迎 Truyu 加入 Have I Been Pwned 合作伙伴计划

2025-07-03 07:28:34

Welcoming Truyu to Have I Been Pwned's Partner Program

I always used to joke that when people used Have I Been Pwned (HIBP), we effectively said "Oh no - you've been pwned! Uh, good luck!" and left it at that. That was fine when it was a pet project used by people who live in a similar world to me, but it didn't do a lot for the everyday folks just learning about the scary world of data breaches. Partnering with 1Password in 2018 helped, but the impact of data breaches goes well beyond the exposure of passwords, so a couple of months ago, I wrote about finding new partners to help victims "after the breach", Today, I'm very happy to welcome the first such partner, Truyu.

I alluded to Truyu being an excellent example of a potential partner in the aforementioned blog post, so their inclusion in this program should come as no surprise, but let me embellish further. In fact, let's start with something very topical as of the moment of posting:

It's pure coincidence that Qantas' incident coincides with the onboarding of an Aussie identity protection service, but it also makes it all the more relevant. My own personal circumstances are a perfect example: apparently, my name, email address, phone number, date of birth, and frequent flyer number are now in the hands of a hacking group not exactly known for protecting people's privacy. In the earlier blog post about onboarding new partners, I showed how Truyu had sent me early alerts when my identity data was used to sign up for a couple of different financial services. If that happens as a result of the Qantas breach, at least I'm going to know about it early.

The introduction of Truyu as the first of several upcoming partners heralds the first time we've tailored content based on the geolocation of the user. What that means is that depending on where you are in the world, you may see something different to this:

Welcoming Truyu to Have I Been Pwned's Partner Program

I'm seeing Truyu on the Dropbox breach page because I'm in Australia, and if you're not, you won't. You'll have your own footer with your own country, which is based on Cloudflare's IP geolocation headers. In time, depending on where you are in the world, you'll see more content tailored specifically for you where it's relevant to your location. That's not just product placements either, we'll be adding other resources I'll share more about shortly.

Putting another brand name on HIBP is not something I take lightly, as is evidenced by the fact this is only the second time I've done this in nearly 12 years. Truyu is there because it's a product I genuinely believe provides value to data breach victims and in this case, one I also use myself. And for what it's worth, I've also spent time with the Truyu team in person on multiple occasions and have only positive things to say about them. That, in my book, goes a long way.

So, that's our new partner, and they've arrived at just the perfect time. Now I'm off to jump on a Qantas flight, wish me luck!

每周更新 458

2025-07-02 16:08:12

Weekly Update 458

I'm in Austria! Well, I was in Austria, I'm now somewhere over the Aussie desert as I try and end this trip on top of my "to-do" list. The Have I Been Pwned Alpine Grand Tour was a great success with loads of time spent with govs, public meetups and users of this little data breach project that kinda escalated. As I say in the vid, I'm posting a lot more pics publicly to my Facebook page, so if you want to see the highlights, head over there. That's it for this week, it's home for a day then I'll come to you from Tokyo for the next one.

Weekly Update 458
Weekly Update 458
Weekly Update 458
Weekly Update 458

References

  1. Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
  2. Have Fun Teaching was breached 4 years ago and 27k of their records are now in HIBP (they went very much "radio silence" after disclosure)
  3. Robinsons Malls in the Philippines had a breach thay finally made its way into HIBP (the breach itself was back in June last year)
  4. Because Teespring was frankly, appallingly bad, we have a new merch store courtesy of Fourthwall (if you ordered from Teespring and haven't received your merch, contact their support and if that doesn't work, dispute the charge with your card company)

每周更新 457

2025-06-22 01:36:24

Weekly Update 457

Firstly, apologies for the annoying clipping in the audio. I use a Rode VideoMic that's a shotgun style that plugs straight into the iPhone and it's usually pretty solid. It was also solid when I tested it again now, just recording a video into the phone, so I don't know if this was connection related or what, but I was in no position to troubleshoot once the stream had started, unfortunately.

Moving on, it's been a ridiculously hectic week of bacb-to-back events then to top it off, we've bee dealing with crazy traffic volumes on HIBP:

Anyway, you just can't predict these things, hope you enjoy this week's video regardless.

Weekly Update 457
Weekly Update 457
Weekly Update 457
Weekly Update 457

References

  1. Sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.
  2. If you want to follow along with travels, most of the pics I post these days are going to a public Facebook account (such is the fragmented social media world today)
  3. Catch me in Rome next week for the DotNetCode Italy meetup (that'll be the last public event of the tour)
  4. Was it really 16B passwords? (obviously this story got huge traction, let's see what the data says)