Have I Been Pwned, the service that logs data breaches and lets individuals search to see if they’ve been affected by one, is about to go open-source. The result of that, according to its founder, will be additional transparency and security-enhancing features.
HIBP, which was kicked off in 2013, offers a range of services: There’s a free service for people wanting to know if their user names and passwords have been compromised in a data breach; it also offers commercial services that include alerts for members of identity-theft programs; and it enables infosec companies to provide services to their customers like protecting large online assets from credential stuffing attacks, preventing fraudulent financial transactions, and giving governments and law enforcement assistance with investigations.
Last June, owner Troy Hunt embarked on “Project Svalbard,” which was an attempt to find a buyer for HIBP. That “failed M&A process,” as he calls it, was sparked by “something close to burnout,” he told Threatpost at the time. He noted that his responsibilities in keeping HIBP afloat had spiked, which led him to cut back on other things, like maintaining his social media presence on Twitter and writing technical blog posts. He was also speaking at conferences globally, uploading weekly videos, and participating in industry and media events.
Since an appropriate buyer didn’t turn up, the next plan is to open up the service’s code base.
“The code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it,” Hunt said in a blog post announcing the plan, on Friday. “The single most important objective [is] to seek a more sustainable future for HIBP…the project cannot be solely dependent on me.”
Already, HIBP is fairly “open,” he noted, running on free services “by the likes of Cloudflare”; using the open-source projects Visual Studio Code and Ghost (along with multiple open-source libraries); and implementing a number of community contributions, many of them publicly available. But fully opening the door to allow people to contribute to – and notably, tinker with – the code will be an entirely next-level effort, Hunt noted.
“I’m talking open-source in terms of taking contributions as well,” he wrote. He added, “All that backlog, all those bugs, all the great new ideas people have but I simply can’t implement myself can, if the community is willing, finally be contributed back into the project.”
He noted that it’s not an elegant code base, but he’s looking forward to bringing the community to bear on rectifying any issues: “I’ve chipped away at it in little bits and pieces, frequently from a laptop while travelling, jetlagged and preoccupied,” he said. “I’ve taken shortcuts. I’ve hacked together some pretty messy stuff. I’ve probably checked in secrets before and when you’re the only person touching a project you can get away with all that stuff, but not once you start opening up source.”
The move will also assuage concerns by users that HIBP might be collecting data about them or their searches.
“People have often questioned whether I’m logging searches in order to build up a new list of email addresses,” he said. “No, I’m not, but at present that assertion effectively just boils down to ‘trust me.’ Showing the code – the actual code – and demonstrating that things aren’t logged is a very different proposition.”
As far as safeguarding the personal data from breaches that makes up HIBP’s database and its raison d’etre, Hunt noted that it all comes from criminal activity in the form of information theft, and as such, most of it is in public circulation on underground markets and has passed through many hands. It’s also been accessed by many: “Big tech companies, for example, pull down precisely the same breaches that go into HIBP and use them to identify credential reuse across their own platforms,” Hunt said.
However, “I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent. That’s non-trivial. Doable, but non-trivial.”
In terms of further details on the open-source process, Hunt said to stay tuned. And he stressed that rather than throwing the entire code base up on GitHub, he plans to disclose it on a staged basis – timeline TBD.
“I need to choose the right parts of the project to open up in the right way at the right time,” he said. “The transition from completely closed to completely open will happen incrementally, bit-by-bit and in a fashion that’s both manageable and responsible.”
He added, “I want to get to a point where everything possible is open. I want the infrastructure configuration to be open too and I want the whole thing to be self-sustaining by the community.”
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.