Troy Hunt | |
---|---|
Born | Troy Adam Hunt [1] 1976 (age 47–48) [2] |
Nationality | Australian |
Citizenship | Australia |
Known for | Have I Been Pwned? |
Height | 196 cm (6 ft 5 in) [3] |
Spouses | |
Awards | See Awards and achievements |
Website | www |
Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. [5] He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites. [6]
As part of his work administering the Have I Been Pwned? (HIBP) website, Hunt has been involved in the publication of 644 data breaches as of 6 January 2023 [update] , [7] and journalists cite him as a cybersecurity expert [8] [9] [10] [11] [12] [13] and data-breach expert. [14] [15] [16]
As of June 2018 [update] HIBP had recorded more than 5 billion compromised user-accounts. Governments of Australia, United Kingdom [17] and Spain use the service to monitor their official domains. [18] Popular services, such as 1Password, [19] Eve Online, Okta [20] or Kogan have integrated HIBP into their account-verification process.
Gizmodo included HIBP in its October 2018 list of "100 Websites That Shaped the Internet as We Know It". [21]
In August 2015, following the Ashley Madison data breach, Hunt received many emails from Ashley Madison members asking for help. He criticized the company for doing a poor job informing its userbase. [22]
In February 2016 children's toy-maker VTech, who had suffered a major data breach months earlier, updated its terms of service to absolve itself of wrongdoing in the event of future breaches. Hunt, who had added the data from VTech's breach to the databases of Have I Been Pwned?, published a blog post harshly criticizing VTech's new policy, calling it "grossly negligent". [23] He later removed the VTech breach from the database, stating that only two people besides himself had access to the data and wishing to reduce the chance of its spread. [24]
In February 2017 Hunt published details of vulnerabilities in the Internet-connected children's toy, CloudPets, which had allowed access to 820,000 user records as well as 2.2 million audio files belonging to those users. [25] [26]
In November 2017 Hunt testified before the United States House Committee on Energy and Commerce about the impact of data breaches. [27]
Also in November 2017 Hunt joined Report URI, a project (launched in 2015 by Scott Helme) which allows real-time monitoring of CSP and HPKP violations on a website. He planned to bring funding and his expertise to the project. [28] [29]
Hunt is known for his efforts in security education for computer and IT professionals. He has created several dozen courses on Pluralsight, an online education and training website for computer and creative professionals. He is one of the primary course authors for Pluralsight's Ethical Hacking path, a collection of courses designed for the Certified Ethical Hacker certification. [5] [ non-primary source needed ]
Additionally, Hunt works in education by speaking at technology conferences and running workshops. His primary workshop, titled Hack Yourself First, aims to teach software developers with little security background how to defend their applications by looking at them from an attacker's perspective. [30] [31]
VTech is a Hong Kong-based global supplier of electronic learning products from infancy to preschool and the world's largest manufacturer of cordless phones.
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".
LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.
Brazzers is a Canadian pornographic video production company with headquarters in Montreal, Quebec, Canada, and legal domicile in Nicosia, Cyprus. With an online network consisting of thirty-one hardcore pornography websites, the company's slogan is "World's Best HD Porn Site!". The site contains 10,036 videos, which were published by 33 different sites. Their network of sites features 2,340 pornstar models.
Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.
Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.
The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.
Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.
Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).
CloudPets was an Internet-connected soft toy manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back.
Okta, Inc. is an American identity and access management company based in San Francisco. It provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices. It was founded in 2009 and had its initial public offering in 2017, being valued at over $6 billion.
Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.
Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.
Firefox Monitor is an online service developed by Mozilla, announced in June 2018, and launched on September 25 of that year. It informs users if their email address and passwords used have been leaked in data breaches, using the database provided by Have I Been Pwned? (HIBP). Mozilla is also working with HIBP's creator, Troy Hunt. Despite the name, this service is not limited to Mozilla Firefox alone, but can be accessed as a website from all common browsers.
Nulled is an online cracking forum.
Junade Ali is a British computer scientist known for research in cybersecurity.
Lapsus$, stylised as LAPSUS$ and classified by Microsoft as Strawberry Tempest, was an international extortion-focused hacker group known for its various cyberattacks against companies and government agencies. The group was globally active, and has had members arrested in Brazil and the UK.
MangaDex is a nonprofit website that aggregates translations of manga, manhwa, and manhua. Content on the website is usually unofficial, uploaded by "scanlation" groups, but other official services like Manga Plus and Bilibili Comics also provide outgoing links on the website. MangaDex was started in 2018 by developer Hologfx, and was initially funded through user donations, but is now funded through affiliate programs. The website is blocked in several countries, including Italy and Russia.
Verifications.io is a defunct email-focused technology firm whose primary practice was to validate email addresses for email marketing platforms. The company's platform allowed for email marketing firms to submit lists to the company, which would verify the lists for valid email addresses.