IT Innovators
IT Innovators: Creating a Free Web Service to Help Businesses and Individuals Know When They’ve Been Hacked

IT Innovators: Creating a Free Web Service to Help Businesses and Individuals Know When They’ve Been Hacked

‘Have I been pwned?’ Keeps Users On High Alert For Data Breaches

Shouldn’t we all know immediately when our online accounts are hacked?

Troy Hunt sure thinks so.

Hunt—an Australian software architect, blogger, speaker, and author of online security courses—felt so strongly that people are left in the dark about their vulnerability to data breaches that he created the free “Have I been pwned?” (HIBP) web service.

Having your personal account exposed in a data breach is not just an inconvenience; it could be a gateway to identity theft. Unfortunately, people often don’t know their information has been compromised until they read about it in the news; meanwhile, usernames and passwords float around visible to cybercriminals.

“It’s screwy how long it takes companies to let the public know there’s been a breach,” Hunt says.

While it’s hard to quantify how many data breaches occur each year (because many go unreported), it’s clear by the recent wave of high-profile attacks at Target, Home Depot, JPMorgan Chase, Sony, Anthem, and others that cyberattackers are growing more aggressive and sophisticated. A 2014 study by the Ponemon Institute revealed that the average cost to a company suffering a data breach is $3.5 million, a 15 percent increase over the previous year.

After Hunt’s Adobe account was ensnared in that company’s 2013 data breach—a breach that compromised 152 million accounts—he took matters into his own hands by building a site for the public.

The HIBP homepage is as user-friendly as pie. It consists of a search field where anyone can enter a username or email address to verify whether they have an account that’s been compromised in a data breach or been part of a paste. A paste is stolen information that’s been published on public websites favored by hackers, such as

To date, HIBP has 113,000 verified subscribers, Hunt says. As a subscriber, you get notifications telling you which account was breached and what data classes (email addresses, passwords, password hints, etc.) were exposed. A victim can then take quick action like changing the password on the compromised site.

“And because the assumption is that other sites where you’ve used that password could be compromised, you’ll want to change that password everywhere.” He adds, with a laugh: “Or just start using a Password Manager.”

Altruism wasn’t Hunt’s only motivation for building the HIBP site. He’s a Microsoft MVP for developer security and an avid user of Microsoft’s Azure cloud platform. (Note: Hunt contributes to the Windows IT Pro site with a regular security column, although he’s not an employee of Microsoft or Penton Media).

Hunt knew he’d be collecting troves of data and wanted to see how cheaply he could run a service like this in the cloud. So HIBP was built using Azure on what Hunt calls a “coffee budget” because the cloud platform can cost about as much to run as…well, a cup of coffee. Azure table storage costs about 5 percent of SQL server storage, says Hunt, and “can be scaled to enormous heights on demand for only cents per hour.”

Because Hunt is paying for HIBP out of his own pocket, he relies on Azure to keep costs down. He recently opened up the site’s Application Programming Interface (API) so any company can integrate HIBP with its own system to check on company email addresses. Yet opening up the API has led to wild usage fluctuations—the site can suddenly have 8,000 requests a minute for 24 hours straight when an enterprise pulls data for its user base.

However, Hunt feels confident setting up Azure’s auto-scale feature and going to bed. Early on with the HIBP site, Azure was running on three servers, but demand from the open API forced Hunt to switch to 10 servers at 10 cents an hour per server.

“The worst thing is that maybe traffic goes nuts for eight hours while I’m asleep,” he says. “But I’ve just supported big traffic and possibly thousands of new subscribers, so it’s worth the eight bucks.”

As for what information HIBP actually stores, Hunt emphasizes that it’s only email addresses and usernames. It does NOT store passwords. All the data in the site comes from breaches that have been made publicly available.

More recently, Hunt has added a domain monitoring feature whereby an entire business can check to see whether any of the employees on its domain(s) are compromised due to a data breach or paste. Over 400 businesses are using domain monitoring, Hunt says.

Word of mouth led an identity theft company—Hunt would not say which one—to inquire about paying him to create a private API that it could integrate with its own product to provide HIBP data breach and paste alerts to its customers. “This could be a good value-add to an existing product,” he says. “So we’re in discussions.”

Hunt remains surprised by the growth of the HIBP site. The way things are going, this free service may have more commercial appeal than its humble maker ever imagined.

“If a company can make their own product better using my API, pay me for it, and then sell it to customers and help them, then that’s really good,” he says.

Until then, Hunt will rely on his donations page. Azure may be fast, cheap and scalable, but running HIBP alone is time-consuming for a guy with a job, wife and kids. So buy Troy Hunt a cup of coffee. He’s looking out for you.


Shane O'Neill is a freelance writer based in Boston, MA. Most recently, Shane was Managing Editor for InformationWeek where he covered mobile, big data, and digital innovation as a writer and editor. Prior to that, he was Assistant Managing Editor and Senior Writer at Shane's writing garnered an ASBPE Bronze Award in 2011 for his blog, "Eye on Microsoft." He can be reached at [email protected]

The IT Innovators series of articles is underwritten by Microsoft, and is editorially independent.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.