Have I been Pwned, the go-to site to check if your email or password was exposed in a data breach (and if so, how many times), has teamed up with the US FBI to bolster its database with hacked credentials at the time the appropriate. It is also open source.
The HIBP website is a gem on the Internet. It was started by Troy Hunt, a web security consultant and member of the Microsoft Regional Administrator Program (who is not a Microsoft employee), who was excited to create the service after a security breach at Adobe in 2013 exposed the login credentials of 150 million accounts. This was the single largest breach of customer accounts at the time.
There are two components to HIBP –One for emails And the Post for passwords. record more than 154 million accounts hacked It is located in Windows Azure table storage, which users can check separately. While that may sound risky, passwords are not stored next to any personal information (such as emails) and are encrypted via SHA-1 (Secure Hash Algorithm 1).
In a blog post, Hunt explains that a file Contact the FBI About creating a way for the agency to feed hacked passwords directly into HIBP. Hunt says the FBI’s goal is “completely consistent” with its goal, which is to proactively warn people when their accounts are compromised (users can optionally opt-in to receive notifications when a breach is detected linked to their email addresses), and so they’re now working together to make it happen. According to Hunt, the FBI will enter hacked passwords into the service nearly a billion times each month.
“We are excited to partner with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime,” said Bryan A. Vorndran, Assistant Director of HIBP. The Internet Department of the FBI.
The FBI’s direct feed to HIBP is still secure, as passwords are entered into the service in SHA-1 and NTLM hash pairs, not plain text. But what is the result here? For users, it means faster alerts if and when their account is detected in a data breach.
“They will be fed into the system as soon as they are made available by the office, and this is clearly a cadence and volume that fluctuates depending on the nature of the investigations they are involved in,” Hunt says. “The important thing is to ensure there is an ingest path through which data can flow into HIBP and be made available to consumers as quickly as possible in order to maximize the value it provides.”
Working together on a live feed is the next logical step. The FBI recently introduced more than 4.3 million hacked email addresses To Hunt, obtained from removing the Emotet botnet in January. Creating a beeline means the FBI can do this kind of thing faster in the future.
Hunt also announced that HIBP is now open source via the .NET Foundation. He said that this is the right step for the continuity of the project, and that it ensures a more sustainable future rather than having the service depend on it alone. It is also important for the purpose of transparency.
“Putting the code out in public goes a long way in addressing people’s concerns about the way the service works. For example, people often wonder if I’m logging searches in order to create a new list of email addresses,” Hunt explained in a Selling points in the previous blogR. “No, I’m not, but for now that assertion effectively boils down to ‘trust me.’ Showing the code — the actual code — and proving not to log things out is a completely different proposition,” Hunt said.
These are welcome announcements, and should ensure that HIBP remains a relevant and useful service for a long time to come.