Have I Been Pwned: Collaborating with FBI and Open Source Publishing

The free project for checking leaked access data Have I Been Pwned is now receiving considerable support from the US secret service FBI: The agency will provide the project with leaked data from its own inventory. In addition, the source code of the HIBP service is to be made accessible as open source software. The project operator Troy Hunt writes on his blog.

Hunt spoke to the FBI about ways of further collaboration, he writes in his blog post. It had been agreed that the authority would allow leaked passwords from its own investigations to flow into the HIBP project. As recently as April, the FBI had sent Hunt over 4 million e-mail addresses in the course of the break-up of the Emotet Trojan, which were then incorporated into HIBP. In the new collaboration, login data from the FBI is to flow into the Pwned Passwords function of the service, whereby the data should be as up-to-date as possible so that those affected can quickly check whether they should change their passwords after a leak becomes known.

Hunt has also started releasing the service’s code base as open source software. He had already announced this step last August. However, Hunt had probably underestimated the effort to make his one-man project available to a community of developers and to rid the code of leftovers. He has received support from the .NET Foundation, as he writes, a non-profit organization supported by Microsoft.

The first two components of the HIBP code are now published on GitHub: the Azure Function and Cloudflare Worker repositories. They can be used to implement an endpoint for Pwned Passwords that accepts passwords hashed in pairs (with SHA-1 and NTLM) and saves them in a database. These parts of the code are part of the collaboration with the FBI, which wants to transmit its findings to HIBP in this way.

Have I Been Pwned is a now very well-known project that collects openly available, leaked login data and saves it in a database. For an e-mail address or a password, HIBP shows whether a leak has been found. In particularly sensitive cases, this information is only sent to the recipient at the respective e-mail address and is not communicated openly on the project website. The database has grown enormously in the meantime: over 11 billion entries can be searched, with Pwned Passwords there are over 613 million data records. The number of hits is also growing enormously: With Pwned Passwords, the queries are approaching the billion mark in a month, as Hunt announced on Twitter.

The security expert and Microsoft employee Hunt is also looking for volunteers who want to help in the further development of HIBP – which is one of the reasons why he publishes the code as open source software. The information contained in the database is or was all openly accessible on the Internet, but mostly comes from criminal activities. Therefore, the HIBP project operates on a legally sensitive basis and Hunt wants to divide the responsibility for it among several people. He also sees the step of disclosing the code as a solicitation of trust that HIBP will handle the data responsibly.


To home page