‘Have I Been Pwned’ is for sale, but what is it worth and who will buy it?

As the week winds down and the news of Troy Hunt soliciting bids to sell the Have I Been Pwned (HIBP) service, it seemed inevitable that I would receive a flood of questions from friends and colleagues seeking my thoughts on this headline. As the former CEO of a venture backed start-up company (VeriClouds) solving nearly identical problems as HIBP is trying to solve, fielding questions about HIBP has become a normal activity in this business. Competing against “free” is always a fool’s game unless and until the conversation is changed from one of free to innovation and value creation.

According to Wikipedia, HIBP launched in December of 2013 and subsequently reached more than two million subscribers. Troy emerged from obscurity by reporting publicly about data breaches and publicly shaming companies and their customer service representatives when confronted with vulnerabilities such as leaked credentials. 7B breached credentials and 6 years later it looks as though HIBP will finally enter a new chapter and make progress towards its true calling under the leadership of an established product/technology company.

It is in fact great news!

“Project Svalbard” represents a transformational mindset shift on Troy’s part and an acknowledgement that HIBP has a lot more potential than what it currently enjoys. Troy’s decision to sell HIBP (which he announced here) is great news for Troy, his buyer, and the industry at large. The HIBP service has not only played an important role in educating the industry and even the Congress of the United States about the growing risk and frequency of data breaches (transcript congressional hearing here) it has helped end users and organizations to better understand that we have all been pwned one way or another, and the cumulative effects that breaches over time have on security.

Troy’s Project Svalbard does in fact contain the seeds of exciting potential for the buyer of the HIBP service. One of the fascinating success stories of HIBP is how Troy has deployed and managed the service on Microsoft Azure in a capital efficient way, which he explains here. Doing what any Microsoft MVP would do, he developed and documented a scalable webservice deployed on Microsoft’s Azure cloud computing service that in instructive to not only start-ups but large organizations seeking to operate their enterprise computing infrastructure in a cost-effective manner.

Although Troy maintains that he would like the service to be available for free post-acquisition, there is an enormous amount of IP from the research, operations and press relationships that will have many companies drooling. The free and open-source HIBP will likely continue in its current incarnation while the real valuable IP —along with Troy’s Midas touch with research and PR— will be parlayed into a commercially viable product.

The devil is in the details

During my time as CEO of VeriClouds I was asked countless times how VeriClouds is better than HIBP. It is a fair question. In fact, very few forward-thinking cybersecurity leaders would be able to identify more than one distinguishing feature of venture backed solutions available on the market today. In an article published on the U Have Been Pwned website (sponsored by Enzoic, TruGrid and Detack) it was pointed out that HIBP is missing the one killer feature that sets them apart from HIBP.

The one killer feature, the article says, “that is missing from HIBP is that it doesn’t preserve passwords when collecting them from credential leaks and hacker databases.” As buyers perform due diligence on HIBP it will be immediately apparent that without the username and password, there is no actionable insight that can be delivered at scale. As of the date of this article, HIBP is not the only service that lacks such actionable insights. Customers of AT&T who use the Mobile Security app (a manifestation of the IP acquired by their acquisition of Alien Vault) proves to users that they have been pwned, but lacks any guidance on the severity of the risk and more importantly what action needs to be taken if any at all.

Without the benefit of venture capital or a monetization model other than donations from generous subscribers, it will also be apparent to buyers that the HIBP service has lacked any real substantial innovation and thus missing out on other desirable features. In a private conversation I had with Troy in 2018 (it was not under NDA) Troy admittedly operates the service on a time budget of 4 hours per week, without any help from others. I suspect that any buyer will struggle with this fact —that HIBP capabilities severely lags in features offered by venture backed companies— although that can be offset by the real value of the acquisition which lies in the fact that Troy’s talent and reputation is a large part of the deal.

The valuation

Having gone through the due diligence process with buyers for selling a technology company like HIBP, I can appreciate that serious buyers will be forced to look beyond reputation and future potential when establishing a purchase price. Michael Green, CEO of Enzoic (a credential screening and cybersecurity company in Boulder, Colorado) and previously CEO at ID Watchdog where he turned the company around and had a successful exit to Equifax, explains that “The problem with valuation when considering an acquisition is that it really comes down to revenue and revenue growth which translates into a multiple of revenues. There might be a golden egg hidden underneath the publicly visible IP, but we have a more difficult challenge in assessing and putting a monetary value on that.”

Without revenue to speak of, buyers will not be able to acquire HIBP based on a multiple of revenues. I suspect that the assets of HIBP may not be the primary consideration at all. Troy’s value as a researcher, analyst and ability to manage global comms for a company —plus maybe the 0.005 of his subscriber base that can be migrated to the buyer’s platform— would look more attractive to the buyer than assets or existing revenues.

Any buyer who can convert ½ of one percent of HIBP subscribers at the rate of, for the sake of argument let’s say $25,000 on an annual subscription, would recognize upwards of $250M in annually recurring revenue, not bad, but again that is based on speculation.

Who are the buyers?

As previously established, the HIBP service in its current state does not offer actionable insights and therefore cannot offer the same level of protection as modern solutions in the identity threat intelligence space. I have written before, and it is worth stating again that leading security practitioners assume a state of breach and are now more urgently focused on answering “How at risk are my users and is my organization to the risk of compromised credentials?”

Recently published NIST (National Institute of Standards and Technology) Digital Identity Guidelines recommends a list of important verification steps when updating the password for a given account. Specifically, that verifiers SHALL compare the prospective secret (i.e., the account password) against a list that contains values known to be commonly used, expected, or compromised. While this guideline is open to wide interpretations —from checking password blacklists to checking actual user’s credential for compromise— it generally falls into the hands of cloud identity service providers (E.g. Okta, Amazon AWS, Microsoft Azure) to on-premise identity management solutions from the likes of Oracle, Microsoft, Ping Identity and so forth to enforce this requirement. Without the username/password preserved for verification during registration, login and password reset, the use of HIBP would tax end-user productivity to the detriment of the user experience.

My intuition informs me that companies who are focused on risk scoring (those who don’t have or need access to users’ passwords) will be more interested in what HIBP has to offer than IAM companies. With its recent IPOs, CrowdStrike and Tenable seem more likely buyers, including CASBs such as Netskope, Skyhigh (McAfee), Bitglass and so forth. Though with Troy’s reputation being what it is, I would not be surprised if Shape Security scooped up HIBP to monetize on his reputation and ability to engage the media and shape public perceptions.

The security of identity

Since I started writing this column in 2017, the main objective has been to focus on the security of consumer and end-user identity management. Through that lens, HIBP does not offer enough to enhance the security of identity due to missing the killer feature of credential verification. I delved deeper into The Politics of Have I Been Pwned with hopes that cybersecurity leaders can make informed decisions about credential-centric threat intelligence services as a category of cybersecurity.

On the other hand, I wish all the best for Troy and the buyer of HIBP and believe (along with Troy) that there is much more that can be done, and that with HIBP he has only begun to scratch the surface of possibilities within the identity threat intelligence and fraud prevention arena. Backed by the financial resources of a larger organization, and a team of engineers and researches who can collaborate with Troy, I look forward to seeing HIBP re-imagined. I am confident that it will impress us all like we were impressed in 2014 when the service first launched.