2025-07-03 07:28:34
I always used to joke that when people used Have I Been Pwned (HIBP), we effectively said "Oh no - you've been pwned! Uh, good luck!" and left it at that. That was fine when it was a pet project used by people who live in a similar world to me, but it didn't do a lot for the everyday folks just learning about the scary world of data breaches. Partnering with 1Password in 2018 helped, but the impact of data breaches goes well beyond the exposure of passwords, so a couple of months ago, I wrote about finding new partners to help victims "after the breach", Today, I'm very happy to welcome the first such partner, Truyu.
I alluded to Truyu being an excellent example of a potential partner in the aforementioned blog post, so their inclusion in this program should come as no surprise, but let me embellish further. In fact, let's start with something very topical as of the moment of posting:
New email from @Qantas just now: “we believe your personal information was accessed during the cyber incident”. They definitely deserve credit for early communication. pic.twitter.com/dTLlvI0Byq
— Troy Hunt (@troyhunt) July 2, 2025
It's pure coincidence that Qantas' incident coincides with the onboarding of an Aussie identity protection service, but it also makes it all the more relevant. My own personal circumstances are a perfect example: apparently, my name, email address, phone number, date of birth, and frequent flyer number are now in the hands of a hacking group not exactly known for protecting people's privacy. In the earlier blog post about onboarding new partners, I showed how Truyu had sent me early alerts when my identity data was used to sign up for a couple of different financial services. If that happens as a result of the Qantas breach, at least I'm going to know about it early.
The introduction of Truyu as the first of several upcoming partners heralds the first time we've tailored content based on the geolocation of the user. What that means is that depending on where you are in the world, you may see something different to this:
I'm seeing Truyu on the Dropbox breach page because I'm in Australia, and if you're not, you won't. You'll have your own footer with your own country, which is based on Cloudflare's IP geolocation headers. In time, depending on where you are in the world, you'll see more content tailored specifically for you where it's relevant to your location. That's not just product placements either, we'll be adding other resources I'll share more about shortly.
Putting another brand name on HIBP is not something I take lightly, as is evidenced by the fact this is only the second time I've done this in nearly 12 years. Truyu is there because it's a product I genuinely believe provides value to data breach victims and in this case, one I also use myself. And for what it's worth, I've also spent time with the Truyu team in person on multiple occasions and have only positive things to say about them. That, in my book, goes a long way.
So, that's our new partner, and they've arrived at just the perfect time. Now I'm off to jump on a Qantas flight, wish me luck!
2025-07-02 16:08:12
I'm in Austria! Well, I was in Austria, I'm now somewhere over the Aussie desert as I try and end this trip on top of my "to-do" list. The Have I Been Pwned Alpine Grand Tour was a great success with loads of time spent with govs, public meetups and users of this little data breach project that kinda escalated. As I say in the vid, I'm posting a lot more pics publicly to my Facebook page, so if you want to see the highlights, head over there. That's it for this week, it's home for a day then I'll come to you from Tokyo for the next one.
2025-06-22 01:36:24
Firstly, apologies for the annoying clipping in the audio. I use a Rode VideoMic that's a shotgun style that plugs straight into the iPhone and it's usually pretty solid. It was also solid when I tested it again now, just recording a video into the phone, so I don't know if this was connection related or what, but I was in no position to troubleshoot once the stream had started, unfortunately.
Moving on, it's been a ridiculously hectic week of bacb-to-back events then to top it off, we've bee dealing with crazy traffic volumes on HIBP:
Well, that explains the traffic: 2.46M visitors to Have I Been Pwned in 24 hours, mostly from Google searches. The inbound traffic is near unprecedented, with only the Collection 1 credential stuffing list in Jan 2019 and the Facebook scrape in April 2021 coming close. pic.twitter.com/li7qvfy9tk
— Troy Hunt (@troyhunt) June 21, 2025
Anyway, you just can't predict these things, hope you enjoy this week's video regardless.
2025-06-12 17:51:21
It's time to fly! It's two months to the day since we came back from the last European trip, again spending the time with some of the agencies and partners we've fostered at HIBP over the years. This time, it's the driving tour I talked about earlier last month, and we have absolutely jam-packed it! But hey, it's a part of the world I love driving in, it's summer over there (I know, it's a bit upside-down in that half of the world), and there are lots of cool people and places to see. Interesting, Switzerland was by far the most dominant "come and say g'day" country, and we've ended up with events or meetups in Zurich, Bern and Geneva, along with invites in other places we just didn't have time to make work. But Switzerland is awesome, so perhaps that's a place for a longer stay next time with a little less grand touring. Regardless, I'll come to you with another live stream next Friday from Monaco 😎
2025-06-09 16:27:23
The bot-fighting is a non-stop battle. In this week's video, I discuss how we're tweaking Cloudflare Turnstile and combining more attributes around how bot-like requests are, and... it almost worked. Just as I was preparing to write this intro, I found a small spike of anomalous traffic that, upon further investigation, should have been blocked. So we've pivoted again, adding yet more logic to try and give legit humans the best experience possible whilst making it painful for the bots. Fortunately, we're doing this with resources that have minimal impact if a limited number of bot requests come through, but it does make for a challenging if not somewhat infuriating experience.
2025-06-02 18:26:35
We're two weeks in from the launch of the new HIBP, and I'm still recovering. Like literally still recovering from the cold I had last week and the consequent backlog. A major launch like this isn't just something you fire and forget; instead, it takes weeks of tweaks and refinements to iron out all the little creases, both known and unpredictable. None of them have been significant, fortunately, but the more I look at it, the more I see, and the more we refine. This week, we're diving headfirst into something I'd rather avoid: wacky procurement demands. Stuff like quote generation so that you can have the same stuff as you can find on the pricing page right now, just as a PDF with your name on it 🤦♂️ And look, I get it - it's not the people reading this making those demands and I have tread in your shoes and felt your pain. Hopefully, sometime this week, we'll automate away both your and my pain, and that'll be a massive step forward for all of us. Stay tuned!
