Citing overwhelming demands on his time, Troy Hunt is looking for a buyer for his site, Have I Been Pwned (HIBP).
HIBP offers a free service for consumers wanting to know if their user names and passwords have been compromised in a data breach; it also offers commercial services that include alerts for members of identity-theft programs, enabling infosec companies to provide services to their customers, protecting large online assets from credential stuffing attacks, preventing fraudulent financial transactions, and giving governments and law enforcement assistance with investigations.
Hunt has been running the site for six years, and said in a posting on Tuesday that the sheer amount of breached information out there needing to be loaded into the database has accelerated to the point of outstripping one person’s capability to keep up with it.
He noted that starting in January, with the massive Collection #1 data dump, his responsibilities in keeping HIBP afloat have spiked. This has led to him having to cut back on other things, like maintaining his social media presence on Twitter and writing technical blog posts. Even so, he’s continued to travel and speak globally, upload weekly videos, and participate in industry and media events – resulting in something “very close to burnout,” he said, as he tried to keep up with it all plus have a family life.
“Each and every disclosure to an organization that didn’t even know their data was out there fell to me (and trust me, that’s massively time-consuming and has proven to be the single biggest bottleneck to loading new data),” he wrote. “Every media interview, every support request and frankly, pretty much every single thing you could possibly conceive of was done by just one person in their spare time. This isn’t just a workload issue either; I was becoming increasingly conscious of the fact that I was the single point of failure. And that needs to change.”
Nicknaming the acquisition project “Project Svalbard” after the Arctic island location of the world’s most enormous seed bank, Hunt said he’s working with consultancy KPMG to identify potential buyers. He plans to let the process happen “organically,” he said, and there’s no timeline on it. He’s already started to have conversations with candidates, however.
It's time for @haveibeenpwned to grow up and go beyond what I can do as one person. This has taken a lot of thought over the course of this year; here's the factors driving it, the path forward and what it means for the future. Here's Project Svalbard: https://t.co/ZeRtzfCTA2
— Troy Hunt (@troyhunt) June 11, 2019
Post-acquisition, Hunt said that he will continue to be a part of HIBP – “some company gets me along with the project” – and that freely available consumer searches will be maintained. He said the main changes will be an expansion of services; he wants to reach a wider audience and offer more commercial capabilities to subscribers, while sourcing more data and focusing more on consumer education and awareness. He also plans to focus on post-breach activities, especially around mitigating credential stuffing.
“I’m really happy with what HIBP has been able to do to date, but I’ve only scratched the surface of potential with it so far,” Hunt said. The service has almost 8 billion breached records, there are nearly 3 million people subscribed to notifications, and the site gets 150,000 unique visitors per day on average, he said.
He added, “it took a combination of data breaches, cloud and an independent career that allowed me the opportunity to make HIBP what it is today, but it’s finally what I’d always hoped I’d be able to do. Project Svalbard is the realization of that dream and I’m enormously excited about the opportunities that will come as a result.”
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.
