Troy Hunt puts Have I Been Pwned up for sale

A list of poorly-constructed passwords on a notepad
(Image credit: Shutterstock)

The founder of a widely-used database which people can use to check if their username and password credentials have been compromised online has launched a campaign to find a new buyer for the service.

Security researcher Troy Hunt is looking to sell Have I Been Pwned (HIBP) after struggling to cope with handling an explosion in the number of data breaches reported in recent months.

He's launched 'Project Svalbard' with the aim of finding a new home for the six-year-old tool in such a way that its altruistic reputation is preserved, and a swathe of new features can be added.

"It's time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that's able to do way more than what I ever could on my own," Hunt said. "To be completely honest, it's been an enormously stressful year dealing with it all.

"The extra attention HIBP started getting in Jan never returned to 2018 levels, it just kept growing and growing. I made various changes to adjust to the workload, perhaps one of the most publicly obvious being a massive decline in engagement over social media."

Hunt insisted he wants to remain a part of the service following any acquisition, and that it should remain freely available to use. This is because its success, he said, can be attributed to there being no barriers to people searching for whether their data has been compromised now or in the past.

Moreover, Hunt has set out plans to change security practices to fight the practice of password reuse, which is often the driver for credential stuffing attacks. He has set out ambitions for HIBP to play a role in changing user behaviour to stamp out lax cyber security habits and practices.

He said the next stage of the process involves working with auditors KPGM to identify a host of candidate organisations that fit his criteria and have the capabilities to deal with the scale of the challenge.

He has opted not to expand HIBP through a conventional commercial structure, in which investors are found and additional staff are hired, because it may raise the scale of his responsibilities at a time he wants to cut back.

"In those early discussions with other organisations, I'm already starting to see a pattern emerge around better managing the entire data breach ecosystem," Hunt continued.

"Imagine a future where I'm able to source and process much more data, proactively reach out to impacted organisations, guide them through the process of handling the incident, ensure impacted individuals like you and me better understand our exposure (and what to do about it) and ultimately, reduce the impact of data breaches on organisations and consumers alike."

Hunt's own analytics shows the website's popularity has spiked in recent months, coinciding with an explosion of high-profile data leaks and breaches. One of his highest spikes coincided with revelations around the Collection #1 leak, in which a gargantuan 87GB trove of 773 million unique records was exposed online in January this year.

This was shortly dwarfed by the release of Collections #2-5 in February, however, exposing 600GB of data and more than 2.2 billion unique records online.

Large data leaks like these, in which credentials have been harvested from historic data breaches, are becoming increasingly common. Another high profile incident occurred as recently as March when an email verification service took itself offline after 800 million customer records were publicly exposed through an unprotected server.

Indeed the dangers facing businesses are everpresent and growing, a fresh report has suggested. An analysis of FTSE 250 companies shows, on average, that companies expose 35 different avenues of attack for cyber criminals, according to cyber security company Rapid7.

Even among the most mature and well-resourced organisations, researchers found evidence of cyber security basics being missed or deployed insufficiently. Many companies were also found to expose more than 1000 systems or devices.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.