“Pwned”, The Book, Is Now Available for Free

Presently sponsored by: Cyberattacks are guaranteed. Is your recovery? Protect your data in the cloud. Join Rubrik’s Cloud Resilience Summit.

Nearly four years ago now, I set out to write a book with Charlotte and RobIt was the stories behind the stories, the things that drove me to write my most important blog posts, and then the things that happened afterwards. It’s almost like a collection of

Continue reading “Pwned”, The Book, Is Now Available for Free

Closer to the Edge: Hyperscaling Have I Been Pwned with Cloudflare Workers and Caching

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

I’ve spent more than a decade now writing about how to make Have I Been Pwned (HIBP) fast. Really fast. Fast to the extent that sometimes, it was even too fast:

The response from each search was coming back so quickly that the user wasn’t sure

Continue reading Closer to the Edge: Hyperscaling Have I Been Pwned with Cloudflare Workers and Caching

Inside the DemandScience by Pure Incubation Data Breach

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Apparently, before a child reaches the age of 13, advertisers will have gathered more 72 million data points on them. I knew I’d seen a metric about this sometime recently, so I went looking for “7,000”, which perfectly illustrates how unaware we are of the

Continue reading Inside the DemandScience by Pure Incubation Data Breach

The Data Breach Disclosure Conundrum

Presently sponsored by: Lithnet Access Manager. Level up your lateral movement defence with RapidLAPS, the passwordless LAPS experience.

The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? I’m writing this after many recent such

Continue reading The Data Breach Disclosure Conundrum

Begging for Bounties and More Info Stealer Logs

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

TL;DR — Tens of millions of credentials obtained from info stealer logs populated by malware were posted to Telegram channels last month and used to shake down companies for bug bounties under the misrepresentation the data originated from their service.

How many attempted scams do you get each day?

Continue reading Begging for Bounties and More Info Stealer Logs

Telegram Combolists and 361M Email Addresses

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

Last week, a security researcher sent me 122GB of data scraped out of thousands of Telegram channels. It contained 1.7k files with 2B lines and 361M unique email addresses of which 151M had never been seen in HIBP before. Alongside those addresses were passwords and, in many cases, the

Continue reading Telegram Combolists and 361M Email Addresses

Operation Endgame

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

Today we loaded 16.5M email addresses and 13.5M unique passwords provided by law enforcement agencies into Have I Been Pwned (HIBP) following botnet takedowns in a campaign they’ve coined Operation Endgame. That link provides an excellent overview so start there then come back to this blog

Continue reading Operation Endgame

Have I Been Pwned Employee 1.0: Stefán Jökull Sigurðarson

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

We often do that in this industry, the whole “1.0” thing, but it seems apt here. I started Have I Been Pwned (HIBP) in 2013 as a pet project that scratched an itch, so I never really thought of myself as an “employee”. Over time,

Continue reading Have I Been Pwned Employee 1.0: Stefán Jökull Sigurðarson

Inside the Massive Alleged AT&T Data Breach

Presently sponsored by: Kolide can get your cross-platform fleet to 100% compliance. It’s Zero Trust for Okta. Want to see for yourself? Book a demo.

I hate having to use that word – “alleged” – because it’s so inconclusive and I know it will leave people with many unanswered questions. But sometimes, “alleged” is just where we need to begin and over the course of time, proper attribution is

Continue reading Inside the Massive Alleged AT&T Data Breach

The Data Breach “Personal Stash” Ecosystem

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

I’ve always thought of it a bit like baseball cards; a kid has a card of this one player that another kid is keen on, and that kid has a card the first one wants so they make a trade. They both have a bunch of cards they&

Continue reading The Data Breach “Personal Stash” Ecosystem