Have I Been Pwned: Software-based Password Leak Website Goes Open Source

Microsoft employee Troy Hunt wants to publish the software of his password leak collection Have I Been Pwned as open source. So far, he had developed the software on his own as a closed source project. Hunt decided to take the step after a sale of the site failed in March 2020.

Don’t miss any news! With our daily newsletter you will receive all the news from heise online for the past 24 hours every morning.

  • Subscribe to the newsletter now

Have I Been Pwnd (HIBP) offers a free service for checking leaked access data. All you have to do is enter your e-mail address and, if you hit, you will receive a list of leaks in which the address appeared. Hunt got the idea for the site in 2013 while traveling by plane. There are now over 10 billion entries in the site’s database.

With the publication, Troy Hunt wants to spread the responsibility for HIBP across many shoulders. He has been solely responsible for the site and its technology for seven years. That is not good for the side and not good for him, he says in one Blog post clear.

He himself is a frequent user of open source software and hopes that by releasing it, more companies and developers will benefit from the service and make it better. In addition, you would have to trust Hunt so far that he does not save, for example, the emails and passwords that people type on the site. When the page is completely open everyone can see how the service is working.

Hunt slouched in many places during development and chose a few shortcuts. Therefore, he cannot publish the page immediately. There is probably also some data in the code, such as access keys, that do not belong there. He’s now working with a few trusted helpers to clean up the code and then release it. The release will happen bit by bit. When exactly it starts, Hunt is not yet clear. He wants to go so far that the entire infrastructure of the site is public, so that everyone can continue the project, even if they are not able to do so. However, Hunt does not want to stop with HIBP.

Publishing the 10 billion records in the database is a difficult subject. On the one hand, all data has come to the public through criminal processes and, on the other hand, it is the private data of billions of people. Including Hunts own. Legally, he moves in a gray area. Most of these leaks circulate on the net, but he still wants to make sure that privacy control is possible.


To home page