Sometimes, life feels like a fairytale. This is now my favourite photo ever ❤️

Something super weird happening right now: just been called by several totally different media outlets in the last few minutes, all with Windows machines suddenly BSoD’ing (Blue Screen of Death). Anyone else seen this? Seems to be entering recovery mode:

Someone just delivered me a massive data breach. It’s all there - names, addresses, phone numbers - huge!!!

You absolute muppet, Ghulam 🤦‍♂️

I’m a responsible parent so I use the controls on iOS to limit screen time on the old iPhone my 9-year old uses. A white-listed exception is iMessage; he’s worked out he can send someone a YouTube vid then watch it in iMessage to circumvent the control. So proud 😅

This car is white

I’d like to say a big “thank you” to @realDonaldTrump for providing me with material that’s going to feature in many, many presentations for years to come 🤣

I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")?

5 months to the day since @elonmusk took over Twitter. It still works just fine. There are new features. This isn’t the outcome many people were predicting.

Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon.

Hmmm… now to find a 4-digit PIN that hasn’t been pwned 🧐

This is so cool, thanks @FBI 😊

Do not start your password with “0”. Because security.

This was a very uncomfortable breach to process for reasons that should be obvious from @josephfcox's article. Let me add some more "colour" based on what I found:

How to identify a vehicle at risk of collisions:

This is going to be complete garbage, isn’t it Jhon?

It's time for @haveibeenpwned to grow up and go beyond what I can do as one person. This has taken a lot of thought over the course of this year; here's the factors driving it, the path forward and what it means for the future. Here's Project Svalbard: troyhunt.com/project-svalbar…

This is basically what we were all worried about with Y2K, except it's actually happened this time ☠️

I do my best with @haveibeenpwned. It takes huge amounts of time and effort and sometimes, is a thankless pursuit. I don’t reply to messages like this, but I’m sharing it to give just a little bit of a sense of the stuff I have to deal with to make it happen.

I don’t normally reply to these, but when someone is a big enough dickhead, I make an exception:

Should I update this elevator’s Java? I’m sure it’ll work out just fine...

Anyone got a @BBC contact that can get this fixed? Not sure if this is your piece @daniel_thomasg: "The hackers, who call themselves "Have I Been Pwned", made off with more than 31 million email addresses, usernames and passwords." view.email.bbc.com/?vawpToke…

Yep, you read that correctly 🤦‍♂️

Please change your DNA

I don’t think it’s too early to call it: this will be the largest IT outage in history

Epic @united app review 😎

I’m gonna need all these one day, right?

This will be a hugely unpopular thing, however... The premise of attaching a nominal cost to a previously free service in order to combat abuse is exactly what I did with the @haveibeenpwned API keys 4 years ago: troyhunt.com/authentication-… This stopped abuse dead. Not a little bit, not mostly, but 100%. The reason wasn't that there was no longer an ROI for abusers, rather it was because you had to stump up a credit card that could be traced back to you. Combine that with Stripe doing a very good job of identifying fraudulent use of cards (our dispute rate is 0.01% for the last 6 months) and it's now very unattractive to do nasty stuff with the service. Clearly, they're not going to make any money out of a $1 annual fee (and for now, that's only new users in 2 countries anyway). I've no doubt based on my own experiences that it'll put a massive dent in abuse originating from those markets, I'm just not sure how much it will piss off their user base. Or how much it will matter.

One day, I'm going to do a NSFW only conference talk on the weirdest data breaches I've ever processed. The one I just got sent is going to be right up there at the top of the list. HOLY. SHIT.

Call comes in: “Hi this is Telstra, we need to verify your identity” “Sure, can you verify your identity first?” “Uh, we’re Telstra” “Ah, but that’s not how this is going to work, can you verify my account information” “But we need to verify you first!” Yeah, nah, bye!

People have been telling me to do this for ages so here it is - I'm open sourcing the code base for @haveibeenpwned. It's non-trivial, but it's the right thing to do. Here's the story: troyhunt.com/im-open-sourcin…

Screw this, I’ve got time 😎

I've wanted to do this post for ages & it's finally done - "Here's Why Your Static Website Needs HTTPS". It's a 24 min video showing a bunch of nasty stuff that can happen to *any* site served insecurely from crypto miners to credential phishing to Clippy: troyhunt.com/heres-why-your-…

The issue is worldwide: dailymail.co.uk/news/article…

I’ve had a heap of queries about this. I’m looking into it and yes, if it’s legit and suitable for @haveibeenpwned it’ll be searchable there shortly.

New data breach now loading into @haveibeenpwned that'll push it *well* over 10,000,000,000 records. Wow. Insane, never thought I'd be here doing this with those numbers. It's been a fun little project 🙂

So apparently a @haveibeenpwned email wiped an entire ticketing system due to the SQL injection pattern I put in the contents of it 🤣 fyr.io/2020/05/30/haveibeenp…

Just one more holiday photo... 💍 ❤️

It's been a huge piece of work, but it's done: here's more than half a billion passwords for you to download for free and use to help protect your systems. Or use the online k-Anonymity API developed in conjunction with @Cloudflare. It rocks! troyhunt.com/ive-just-launch…

Seen at my local post office yesterday:

Running a free service is bloody thankless at times, I've just got no patience of this sort of shit

10 years ago today, I started a pet project with a stupid name. Like all my previous projects, I expected it to scratch an itch and then fail miserably. But @haveibeenpwned didn't do that, not by a long shot. A decade later here we are! 🎂 troyhunt.com/a-decade-of-hav…

Felt really sad waking up and seeing “RIP Kevin” in my timeline. I doubt there is a more well known name in our industry but if he’s unfamiliar to you (or you haven’t read this book), go and grab “Ghost in the Wires” which is an exceptional read. Kevin started regularly coming to the Gold Coast about 6 years ago. I first met him here just after I’d gotten a boat and thought it would be a great idea to take him and my kids on a ride to a pretty secluded island. We had an awesome trip over, moored just off the beach then sat at a little cafe having lunch. When we went to leave, the tide had dropped and the boat was sitting half way up the beach, going nowhere. And a storm was coming. We ended up spending hours sitting in the cafe into the night while we played Jenga and he taught the kids card tricks. Eventually, late and dark with the storm still raging, we headed home anyway navigating through the pitch dark via the flashing red and green beacons. We came home drenched and according to Kevin, elated anyway at an awesome day out 😊 I never stranded Kevin anywhere again, but we did do more boat trips in the years to follow. The stories this guy had were nuts; obviously the hacking, but changing identities, being on the run, getting locked up and perhaps what hit the most, solitary confinement. It was a crazy time he found himself in (“Kevin might whistle nuclear launch codes into the telephone”), and he paid a hefty price. But he also later made a hell of an honest career out of it and became highly entertaining, and highly in demand. He was polarising, but there’s no arguing he earned his way to the top. You kinda hope that when you pass on, that’s not the end of it insofar as you’ve made a lasting difference. We’ll still be talking about Kevin for decades to come, and there’s no arguing that he helped shaped the industry to become what it is today. A colourful character and friend, RIP Kevin. dignitymemorial.com/obituari…

Complete step-by-step guide to hacking @GovParsonMO's website: 1) Press F12

I’ve had a lot of people tweeting this at me so let me give you 2 thoughts on it: 1) Making 2FA a premium service sends a bad message 2) Putting a price on the weakest form of 2FA and keeping 2 much better alternatives free is good

Another cool little @Cloudflare thing that snuck out recently is this very simple security.txt creator:

Your hacker name is your first pet’s name followed your mother’s maiden name and the town you were born in. What’s yours?

WE DIDN’T EVEN MAKE IT THROUGH ONE DAY IN 2019!!!

You know a data breach is big when...

Hearing multiple reports of a Crowdstrike agent issue

Me to my wife: “Uh, what brand is our new washing machine?” “Samsung” “Why the fuck is it broadcasting an SSID?!”

Oh for fucks sake. I seriously did not know I had an account in this breach until this email from @haveibeenpwned just landed. Thanks @troyhunt 🤬

Don't think I've seen someone store both a password hash *and* the plain text of it in a data breach! That's, uh... "special" 🤦‍♂️

Every time I come back to Europe, I’m reminded of the absolute batshit insanity that cookie warnings are. Idiotic, poorly thought out, user experience-killing compliance garbage that can’t possibly do anything to improve privacy in any meaningful way whatsoever.

I hate getting emails from this guy 😭

This IoT shit is getting out of control

I took the brief tweet thread I did earlier today on the alleged @MinneapolisPD hack and ran the emails and passwords through @haveibeenpwned. It's not a new breach, it's existing data that's falsely attributed and is causing disinformation to spread troyhunt.com/analysing-the-a…

In 2013, I built the front end of @haveibeenpwned on Bootstrap and jQuery. In 2025, @stebets and I are rebuilding it as part of a rebrand. What should we use? What are the front end tools that make web dev awesome today? (vanilla HTML, CSS and JS aside, of course)

The financial impact of this is already hard to fathom

Remember when the biggest worry we had about candles was the house burning down because *you* left one on? Get ready for other people to start sparking them up for you remotely with “smart” candles... with real fire! kickstarter.com/projects/can…

When the pizza boy knows who you are 🍕

New day, new beginning ❤️

6 years, 416 breaches and 9,138,980,630 pwned accounts later - it’s @haveibeenpwned’s birthday! 🎂 troyhunt.com/introducing-hav…

I’m so sick of these dickheads. Meanwhile, I’m trying to report massive data breaches to orgs who aren’t replying because they get so much crap like Sam’s!

Alleged breach of 400M+ Twitter accounts. Legitimacy isn’t yet clear, but the aggressive, threatening wording is unmistakable. Of course Twitter will never pay, so let’s see what happens next.

Airports down

WTF?!

Yeah, nah...

Just an important point on this as I’m seeing some misunderstandings: this is not a “Microsoft outage” (disclosure: I don’t work there or speak for them, Regional Directors are totally independent), it’s a CrowdStrike issue impacting Microsoft PCs.

I fucking hate beg bounties 😡

Absolutely over the moon to formally make @Charlotte_Hunt_ a part of our family ❤️ 💍

Anyone got a security contact at ISIS?

Not just everywhere, but every*one* (nearly). This is massive

😍

Essential arachnid training for friends considering visiting Australia

So I just managed to lock out the @haveibeenpwned Twitter account by putting the service's birthday in and falling afoul of minimum age requirements. I'll get it sorted in a jiffy, just a heads up in case anyone notices something is up and wonders what happened.

Your DNA has been breached. Please change your DNA. bloomberg.com/news/articles/…

I'm so sick of those bullshit "your article is really nice, I think your readers would find my article useful, please link to it" spam emails that I've decided to start featuring them all. Well, kinda, here's what I'm going to do: troyhunt.com/no-i-wont-link-…

I will never stop loving this vendor response to a security flaw: "the lock is invincible to people who do not have a screwdriver" 🤣

If you're watching this unfold and aren't unfamiliar with the name "CrowdStrike", they're a *massive* player in the security space and have billions of dollars of annual revenue. Their products include "EDR", which is endpoint detection and response. Think of it as antivirus.

ROAD TRIP!!! 🐬 🕷🦈 🐊 🦘🐍 🐨 google.com/maps/dir/Surfers+…

Good one @Visa, absolutely no warning about truncating generated passwords from @1Password. The account gets created but then I can't login until I view the DOM and chop the end off my >32 char password. This doesn't need to be this hard...

I’m marrying my dream girl 🍺 😍 🍺 (Oktoberfest, Munich, 2019)

It finally happened - I got phished. Impact is limited to the Mailchimp mailing list for my blog, brief blog post with details here and more to come later: troyhunt.com/a-sneaky-phish-…

This is without doubt the most hilarious discussion I’ve had in a long time 😂

I’m astounded to see people still arguing “my site doesn’t need HTTPS” so I’ll put it simply: either spend a few mins putting it on your site now or continually explaining to your visitors why your site is not “not secure” until you end up doing it anyway. It’s not a negotiation.

I’m very happy to announce that @haveibeenpwned’s Pwned Passwords is now open source under the @dotnetfdn. Now we’ve got some work to do: building an ingestion pipeline for new passwords provided by the @FBI on an ongoing basis. This is super cool 😎 troyhunt.com/pwned-passwords…

So here it is - my latest @pluralsight course - and why every web developer needs to understand HTTPS troyhunt.com/new-pluralsight…

Here it is: - Toy captured kids voices - Data exposed via MongoDB - 2.2m recordings - DB ransom'd - And much more... troyhunt.com/data-from-conne…

New family car! I’m kinda a bit excited about this one!

Looks like BSoDs are turning up everywhere right now

The global scope of this is *MASSIVE*. Germany:

And in the latest edition of “why you should HTTPS all the things”, I present to you Starbucks mining BTC in your customers’ browsers

It had to happen eventually - I made a mistake in "the cloud" that just cost me over $11k. Ouch! Here's what happened, and what I've done to make sure it never happens again: troyhunt.com/how-i-got-pwned…

You idiots 🤦‍♂️

Ad targeters are pulling data from your browser’s password manager flip.it/q9kb-G

I’ve had a few people flag this with me as a “data breach”. It’s not, it’s authorised access. Not liking that authorisation does not make it a data breach. If one of these guys then accidentally leaks it all over the place to unauthorised parties, *then* it’s a data breach!

Seeing a lot of failed login attempts to my Microsoft account in the last 24 hours from all over the world. Same with my son, always about 2 hours apart, anyone else?

Love this sticker from @_sarahyo 😜

I've had a blog post in draft for years that's been a bit of a pet project: "Fundamental Financial Lessons for Technology Professionals". Is this something you'd like to read? What would you like to see in it? I want to finally knock it out over the next few days.