[…] Have I Been Pwned started life as a hobby project. In fact, Troy wasn’t working in the cybersecurity industry until a chance encounter tweaked his curiosity.
Hackers had stolen the email addresses and passwords of 152 million of Adobe’s customers in November 2013 — including, as it turned out, Troy’s.
Only, he wasn’t an Adobe customer. He did some digging and found that Adobe had acquired another company that he did have an account with, and his data along with it.
But that wasn’t where it ended. Another question weighed on Troy’s mind — one he would soon become synonymous with. Where else had his data been leaked?
So, two months after the Adobe breach, he launched Have I Been Pwned — a website that would answer this exact question for anyone in the world.
Even though it’s grown into an industry behemoth, the day-to-day reality of running the site hasn’t changed all that much since 2013.
He only collects (and encrypts) the mobile numbers, emails and passwords that he finds in the breaches, discarding the victims’ names, physical addresses, bank details and other sensitive information.
The idea is to let users find out where their data has been leaked from, but without exposing them to further risk.
Once he identifies where a data breach has occurred, Troy also contacts the organisation responsible to allow it to inform its users before he does. This, he says, is often the hardest step of the process because he has to convince them it’s legitimate and not some kind of scam itself.
He’s not required to give organisations this opportunity, much less persist when they ignore his messages or accuse him of trying to shake them down for money.
These days, major tech companies like Mozilla and 1Password use Have I Been Pwned, and Troy likes to point out that dozens of national governments and law enforcement agencies also partner with his service.
the reality is Troy doesn’t answer to an electorate, or even a board.
“He’s not a company that’s audited. He’s just a dude on the web,” says Jane Andrew, an expert on data breaches at the University of Sydney.
“I think it’s so shocking that this is where we find out information about ourselves.
“It’s just one guy facilitating this. It’s a critical global risk.”
She says governments and law enforcement have, in general, left it to individuals to deal with the fallout from data breaches.
Without an effective global regulator, Professor Andrew says, a crucial part of the world’s cybersecurity infrastructure is left to rely on the goodwill of this one man on the Gold Coast.
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft