Aussie Troy Hunt drops Have I Been Pwned sale

The Have I Been Pwned data breach alert service will remain independent

holiday security have i been pwned
IDG

After a nearly year-long search to find a suitable buyer for the Have I Been Pwned data breach alert service, its Australian founder, Troy Hunt, has decided to call it quits on the sale and remain an independent service.

Hunt  announced he had ended the search for a buyer due to what he suggests was a failure in Silicon Valley’s arduous selling processes, rather than any problem inherent to Have I Been Pwned’s operations.

Since launching in 2013, Have I Been Pwned has helped IT admins and millions of average online users across the world understand whether an account under their control had been compromised. Have I Been Pwned started with a simple promise: users could search an account across multiple breaches. It’s always been a free service that was owned and operated by Hunt using Microsoft Azure and Cloudflare services. Today, it contains billions of accounts and several million subscribers who want to know when their account has been compromised.

Over that time, Hunt has diligently collected details about data breaches and online account credentials that had been leaked online. High-profile breaches included in the service affected hundreds of millions of users of Adobe, Microsoft-owned LinkedIn, MySpace, Zynga, Adult FriendFinder, and more recently MGM Resorts.

The site today has a database of over 9.5 billion pwned, or compromised, accounts that hackers often traded on underground cybercrime forums for years before it became public knowledge, allowing cybercriminals to try their luck on other websites, knowing that people foolishly re-use the same password across Facebook, Google, and dozens of other apps people had signed up to over the past decade.

Have I Been Pwned has attracted about 3 million subscribers who were interested in receiving a notification when the next online service containing breached records became available. Though small by global publishing standards, the site attracted up to 10 million unique visitors per day.

Hunt developed a partnership with Mozilla to create Firefox Monitor breach alerts for users of the Firefox browser. The governments of Australia, UK, Austria, Ireland, Norway, Switzerland and Denmark have also signed up to protect their users against data breaches.

Hunt used consultancy firm KMPG to manage the 11-month acquisition process and announced the sale last June as Project Svalbard — a reference to the frozen seed vault in Norway for saving the genes of the world’s crop seeds in the face of natural disaster.

He detailed his efforts to sell the website — which has been integrated into Mozilla’s Firefox Monitor breach alert service — in a blog detailing how he managed to dodge Silicon Valley’s “golden handcuffs”. “A consistent theme across all the bidding companies was that they wanted me locked in for years and if I changed my mind part way through, I’d pay for it big time. I expected that — it wasn’t news to me — but I’d be lying if I said it didn’t worry me once I started seeing it in writing,” he says.

Hunt says he initially had 141 potential buyers but whittled that number down to 43 prospects, which aligned with his own vision for the service and which would hire him to steer it. Bidders were interested in Have I Been Pwned to develop products for prevention of credential stuffing attacks, fraud detection, identity theft services and cyber-awareness, Hunt told CSOonline.  

Hunt hasn’t disclosed any of the bidders’ names, but says KPMG and he offered exclusivity to one bidder that met his criteria. The deal apparently fell apart during the due-diligence process because the would-be buyer changed its business model, which “made the deal infeasible”. That failure also derailed Hunt’s plans to sell the project to another entity. “After many months of exclusivity with a single organisation and going through crazy amounts of due diligence, the effort involved in scrolling back to the September time frame and starting it all again with another organisation would have been enormous,” wrote Hunt.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies