Troy Hunt

Last updated

Troy Hunt
Troy Hunt LM-0059.jpg
Hunt in 2021
Born
Troy Adam Hunt [1]

1976 (age 4748) [2]
NationalityAustralian
CitizenshipAustralia
Known for Have I Been Pwned?
Height196 cm (6 ft 5 in) [3]
Spouses
Kylie Bragg
(m. 2006;div. 2020)
Charlotte Hunt
(m. 2022)
[4]
AwardsSee Awards and achievements
Website www.troyhunt.com

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. [5] He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites. [6]

Contents

Data breaches

As part of his work administering the Have I Been Pwned? (HIBP) website, Hunt has been involved in the publication of 644 data breaches as of 6 January 2023, [7] and journalists cite him as a cybersecurity expert [8] [9] [10] [11] [12] [13] and data-breach expert. [14] [15] [16]

As of June 2018 HIBP had recorded more than 5 billion compromised user-accounts. Governments of Australia, United Kingdom [17] and Spain use the service to monitor their official domains. [18] Popular services, such as 1Password, [19] Eve Online, Okta [20] or Kogan have integrated HIBP into their account-verification process.

Gizmodo included HIBP in its October 2018 list of "100 Websites That Shaped the Internet as We Know It". [21]

In August 2015, following the Ashley Madison data breach, Hunt received many emails from Ashley Madison members asking for help. He criticized the company for doing a poor job informing its userbase. [22]

In February 2016 children's toy-maker VTech, who had suffered a major data breach months earlier, updated its terms of service to absolve itself of wrongdoing in the event of future breaches. Hunt, who had added the data from VTech's breach to the databases of Have I Been Pwned?, published a blog post harshly criticizing VTech's new policy, calling it "grossly negligent". [23] He later removed the VTech breach from the database, stating that only two people besides himself had access to the data and wishing to reduce the chance of its spread. [24]

In February 2017 Hunt published details of vulnerabilities in the Internet-connected children's toy, CloudPets, which had allowed access to 820,000 user records as well as 2.2 million audio files belonging to those users. [25] [26]

In November 2017 Hunt testified before the United States House Committee on Energy and Commerce about the impact of data breaches. [27]

Also in November 2017 Hunt joined Report URI, a project (launched in 2015 by Scott Helme) which allows real-time monitoring of CSP and HPKP violations on a website. He planned to bring funding and his expertise to the project. [28] [29]

Education

Hunt speaking about application security at OWASP's AppSec EU conference in 2015. Troy Hunt - 50 Shades of AppSec still frame.jpg
Hunt speaking about application security at OWASP's AppSec EU conference in 2015.

Hunt is known for his efforts in security education for computer and IT professionals. He has created several dozen courses on Pluralsight, an online education and training website for computer and creative professionals. He is one of the primary course authors for Pluralsight's Ethical Hacking path, a collection of courses designed for the Certified Ethical Hacker certification. [5] [ non-primary source needed ]

Additionally, Hunt works in education by speaking at technology conferences and running workshops. His primary workshop, titled Hack Yourself First, aims to teach software developers with little security background how to defend their applications by looking at them from an attacker's perspective. [30] [31]

Awards and achievements

Related Research Articles

VTech is a Hong Kong-based global supplier of electronic learning products from infancy to preschool and the world's largest manufacturer of cordless phones.

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

Brazzers is a Canadian pornographic video production company with headquarters in Montreal, Quebec, Canada, and legal domicile in Nicosia, Cyprus. With an online network consisting of thirty-one hardcore pornography websites, the company's slogan is "World's Best HD Porn Site!". The site contains 10,036 videos, which were published by 33 different sites. Their network of sites features 2,340 pornstar models.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).

CloudPets was an Internet-connected soft toy manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back.

<span class="mw-page-title-main">Okta, Inc.</span> American information technology company

Okta, Inc. is an American identity and access management company based in San Francisco. It provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices. It was founded in 2009 and had its initial public offering in 2017, being valued at over $6 billion.

Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.

Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.

Firefox Monitor is an online service developed by Mozilla, announced in June 2018, and launched on September 25 of that year. It informs users if their email address and passwords used have been leaked in data breaches, using the database provided by Have I Been Pwned? (HIBP). Mozilla is also working with HIBP's creator, Troy Hunt. Despite the name, this service is not limited to Mozilla Firefox alone, but can be accessed as a website from all common browsers.

Nulled is an online cracking forum.

<span class="mw-page-title-main">Junade Ali</span> British computer scientist and cybersecurity researcher

Junade Ali is a British computer scientist known for research in cybersecurity.

Lapsus$, stylised as LAPSUS$ and classified by Microsoft as Strawberry Tempest, was an international extortion-focused hacker group known for its various cyberattacks against companies and government agencies. The group was globally active, and has had members arrested in Brazil and the UK.

<span class="mw-page-title-main">MangaDex</span> Manga aggregation website

MangaDex is a nonprofit website that aggregates translations of manga, manhwa, and manhua. Content on the website is usually unofficial, uploaded by "scanlation" groups, but other official services like Manga Plus and Bilibili Comics also provide outgoing links on the website. MangaDex was started in 2018 by developer Hologfx, and was initially funded through user donations, but is now funded through affiliate programs. The website is blocked in several countries, including Italy and Russia.

<span class="mw-page-title-main">Verifications.io</span> E-mail marketing company, defunct 2019

Verifications.io is a defunct email-focused technology firm whose primary practice was to validate email addresses for email marketing platforms. The company's platform allowed for email marketing firms to submit lists to the company, which would verify the lists for valid email addresses.

References

  1. "Summary of business name details". troyhunt.com.
  2. "Weekly Update 282". YouTube .
  3. "Weekly Update 269". YouTube .
  4. Troy Hunt [@troyhunt] (21 September 2022). "Absolutely over the moon to formally make @Charlotte_Hunt_ a part of our family ❤️ 💍" (Tweet) via Twitter.
  5. 1 2 "Troy Hunt - Ethical Hacking Author - Pluralsight". Pluralsight . Retrieved 20 September 2016.
  6. Hunt, Troy (6 November 2018). "It's End of Life for ASafaWeb". Archived from the original on 12 August 2021. Retrieved 11 February 2022.
  7. Hunt, Troy (6 January 2023). "Have I Been Pwned". Have I Been Pwned.
  8. Cox, Joseph (10 March 2016). "The Rise of 'Have I Been Pwned?', an Invaluable Resource in the Hacking Age". Vice . Retrieved 20 October 2021.
  9. "Tool checks phone numbers from Facebook data breach". BBC News Online . 6 April 2021.
  10. "Grindr accounts could be easily hacked with email address". BBC News Online . 5 October 2020.
  11. "Baltimore ransomware attack: NSA faces questions". BBC News Online . 27 May 2019.
  12. Rogers, James (1 March 2017). "Data from internet-connected teddy bears held ransom, security expert says". Fox News .
  13. Arthur, Charles (23 September 2016). "Yahoo hack is a reminder that nothing is safe". CNN .
  14. Lariosa, Saab (8 April 2021). "How to know if you're one of 880,000 Filipinos caught in Facebook's data leak". The Philippine Star .
  15. Bisson, David (28 February 2020). "More Than 140GB of Data Exposed by Israeli Marketing Company". Tripwire .
  16. "Foodora Data Breach Impacts 727,000 Customers Across 14 Countries". CISOMAG . 17 June 2020.
  17. "The Government Uses 'Have I Been Pwned' to Keep Tabs on Data Breaches" . Retrieved 1 June 2018.
  18. "Breach Alert Service: UK, Australian Governments Plug In". www.bankinfosecurity.com. Retrieved 4 January 2019.
  19. Locklear, Mallory (23 February 2018). "1Password now lets you see if your password has been leaked". Engadget. Retrieved 17 January 2019.
  20. "Okta's PassProtect checks your passwords with 'Have I Been Pwned'". 23 May 2018. Retrieved 1 June 2018.
  21. "100 Websites That Shaped the Internet as We Know It". 19 October 2018. Retrieved 31 October 2018.
  22. Price, Rob (24 August 2015). "Ashley Madison not communicating with customers: Troy Hunt". Business Insider . Retrieved 21 March 2016.
  23. Murdock, Jason (9 February 2016). "VTech hack: Microsoft security researcher Troy Hunt slams 'grossly negligent' security approach". International Business Times . Retrieved 21 March 2016.
  24. Hunt, Troy (8 April 2016). "Have I been pwned, opting out, VTech and general privacy things" . Retrieved 28 June 2016.
  25. "Children's messages in CloudPets data breach". BBC News. 28 February 2017. Retrieved 6 August 2017.
  26. Hern, Alex (28 February 2017). "CloudPets stuffed toys leak details of half a million users". The Guardian. ISSN   0261-3077 . Retrieved 6 August 2017.
  27. "IDENTITY VERIFICATION IN A POST-BREACH WORLD" . Retrieved 1 June 2018.
  28. "I'm Joining Report URI!". November 2017. Retrieved 25 July 2018.
  29. "The next steps for Report URI" . Retrieved 25 July 2018.
  30. Computerworld staff (5 August 2015). "FREE COURSE: Hack yourself first (before the bad guys do)". Computerworld . IDG Communications. Retrieved 4 April 2018.
  31. Hunt, Troy (29 March 2016). "Troy Hunt: Workshops". Troy Hunt. Retrieved 4 April 2018.
  32. "Troy Hunt" . Retrieved 1 June 2018.
  33. "Troy Hunt" . Retrieved 1 June 2018.
  34. "AusCERT 2018 - Awards". Archived from the original on 28 January 2021. Retrieved 1 June 2018.
  35. "#Infosec18: European Blogger Awards Winners Announced". 5 June 2018. Retrieved 11 June 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.