After announcing last year that he was looking to sell Have I Been Pwned (HIPB), Troy Hunt said this week that the popular service has been pulled off the market and will instead continue to be run independently.
HIBP offers a free service for consumers to check if their usernames and passwords have been compromised in a data breach. Since it was founded seven years ago, the platform has skyrocketed to offer commercial services for companies (including its Pwned Passwords tool and more) and to include more large-scale breaches (including the massive 2019 Collection #1 data dump, totaling 773 million unique addresses and 87GB in size).
These increased capabilities are part of the reason why Hunt said in June 2019 he was listing the service for sale – In a posting at the time, he said the sheer amount of breached data that needed to be loaded into database has increased beyond the capability of one person.
However after a strenuous M&A process resulting in an “infeasible” deal with an exclusive bidder, Hunt said that he will instead continue to run the service independently. “After 11 months of a very intensive process, culminating in many months of exclusivity with a party I believed would ultimately be the purchaser of the service, unexpected changes to their business model made the deal infeasible,” Hunt said in a Monday post. “It wasn’t something I could have seen coming nor was it anything to do with HIBP itself, but it introduced a range of new and insurmountable barriers.”
The M&A Process
HIBP has seen widespread success over the past seven years, including adoption by organizations and governments, and a partnership with Mozilla and Cloudflare in 2019 that led to an integration between HIBP and Firefox. So it’s no surprise that companies were lining up at the door in hopes of acquiring the service. Overall the firm had over 141 potential acquirers globally, in fact.
Nicknaming the acquisition project “Project Svalbard” (after the Arctic island location of the world’s most enormous seed bank) Hunt worked with consultancy KPMG to identify potential buyers and eventually narrowed the number down to 43 candidates who “best aligned to the goals” outlined for HIBP.
Hunt wanted buyers that had “right level of responsibility” over the type of data HIBP deals with, and that would push the service in the direction Hunt wanted it to go. Hunt would remain at the helm of HIBP, so he was also looking for acquirers that he could see himself working for.
Eventually, an unnamed company was chosen as an exclusive bidder, but Hunt cited issues that recently led to the bidder and HIBP parting ways. These issues were undisclosed (due to legal and privacy reasons) but they were unrelated to the HIBP acquisition itself, and rather stemmed from a change in business model of the bidding company.
“Keeping in mind my previous point regarding confidentiality and choosing my words carefully, the circumstances that took the bidder out of the running was firstly, entirely unforeseen by the KPMG folks and myself and secondly, in no way related to the HIBP acquisition,” said Hunt. “It was a change in business model that not only made the deal infeasible from their perspective, but also from mine; some of the most important criteria for the possible suitor were simply no longer there. Collectively, we agreed to put pens down.”
Future of HIBP
Hunt has now abandoned plans to sell HIBP after realizing the various drawbacks that an acquisition might come with. For instance, many bidding companies wanted Hunt locked in for years “and if I changed my mind part way through, I’d pay for it big time,” he said. “That weighed more and more heavily on me as things progressed.”
Hunt also worried that many companies he talked to didn’t align with his vision for HIBP: “I … didn’t want a situation where I compromised my own principles; the organization we’d identified as the best possible fit was precisely that – the best possible fit – and all other candidates would mean making concessions I simply couldn’t justify,” he said.
Project Svalbard was the initiative to find a new home for @haveibeenpwned. After 11 months, the project has now run its course; HIBP will remain independent. Here's the full story: https://t.co/euM50h21Ge
— Troy Hunt (@troyhunt) March 2, 2020
For now, HIBP will operate as usual, and Hunt has recently on-boarded five new governments onto the service (Austria, Ireland, Norway, Switzerland and Denmark), as well as loaded 77 new data breaches (comprising of 1.7 billion records).
But moving forward, Hunt said he will look for more support in delegating the workload associated with the service. Hunt said he also wants to look for new ways to address how the industry as a whole can better tackle the flood of data breaches it continues to deal with; and to leverage more formal relationships that HIBP has established with governments, regulators and law enforcement.
“It’s an interesting time right now where there’s clearly a lot of support for HIBP and the way it operates, but also a lot of focus on privacy and people having control of their own data which poses some interesting challenges,” he said.