Open Source

Troy Hunt open-sources Have I Been Pwned engine

Read time 4min 00sec

Data breach and record exposure search engine Have I Been Pwned (HIBP) is going open source.

The platform was developed by Australian cyber security expert Troy Hunt, who made headlines in SA in 2017 after he unearthed the country’s biggest data breach which exposed the personal information of about 30 million South Africans.

Hunt created the HIBP platform as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach.

Created in December 2013, the service collects and analyses hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or e-mail address.

Users can also sign up to be notified if their e-mail address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their security and privacy.

Spreading the responsibility

Hunt has taken the project to the open source community after his bid to sell the platform was unsuccessful.

In a blog post, he says: “I’m going to open-source the Have I Been Pwned code base. The decision has been a while coming and it took a failed merger and acquisition (M&A) process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it.

“I’ve been giving a great deal of thought to how I want this project to evolve lately, especially in the wake of the M&A process that ended earlier this year right back where I'd started – with me being solely responsible for everything.”

He points out that the single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn’t changed.

“The project cannot be solely dependent on me. Yet that's where we are today and if I disappear, HIBP quickly withers and dies,” Hunt says.

“As I’ve given further thought to the future since the M&A process, the significance of community contributions has really hit home. Every single byte of data that’s been loaded into the system in recent years has come from someone who freely offered it in order to improve the security landscape for everyone.

“Many of the services that HIBP runs on are provided free by the likes of Cloudflare. Much of the code that has been written has drawn on community contributions either by virtue of content people have published publicly or support that's been provided to me directly.”

Hunt points out that open-sourcing the code base is the most obvious way to do this. “It takes the nuts and bolts of HIBP and puts them in the hands of people who can help sustain the service regardless of what happens to me.

“But this isn’t just a philosophical decision based on a desire to offload work; it's also common sense for a number of reasons.”

Huge contribution

Ilia Kolochenko, founder and CEO of Web security company ImmuniWeb, comments: “Maintaining a database such as Have I Been Pwned is a titanic effort, and Troy Hunt definitely improved the modern Internet by attracting everyone’s attention to the skyrocketing problem of data breaches and leaks affecting everyone in our society.

“It’s still a bit unclear who within the emerging HITB community will have access to the data of billions of stolen credentials and for which purposes. In some states, such access may be unlawful and criminally punishable under a fairly broad spectrum of circumstances.

“Otherwise, the idea to bring in community efforts makes a lot of sense, as communities like the Open Bug Bounty project have had more success compared to many commercial crowd security testing companies.”

Kolochenko says disclosing a source code may also impose certain risks; for example, attackers will have a better understanding to detect vulnerabilities in the code and potentially compromise the project.

“Vetting of the developers and security enthusiasts is not an easy task given that many cyber criminals will want to get access to the project under colour of supporting it. I hope the project will successfully reinvent itself.”

See also