Can You Trust HaveIBeenPwned?

Whenever there is a security breach, everyone likes to point to “Have I Been Pwned.” 

It’s for a good reason. 

The guy who runs it is a “Rock Star” in the internet security world. But that doesn’t mean much to most people so let me show you why you should trust Have I Been Pwned(HIBP). 

Disclosure: I’m NOT being paid to write this. I don’t know the owner of HIBP and never met him. This is just the research I’ve done to find out if this site is trustworthy. 

Who Owns HaveIBeenPwned?

Troy Hunt owns HaveIBeenPwned.

Personal site: https://www.troyhunt.com/

Twitter: https://twitter.com/troyhunt

YouTube: https://www.youtube.com/user/troyhuntdotcom

Who Is Troy Hunt?

Troy Hunt is an Australian web security expert. To learn more check out his Wikipedia page.

Most notable is that Microsoft awarded him “Microsoft Most Valuable Professional” in 2011.

HaveIBeenPwned History

HaveIBeenPwned was created in 2013. The thing that pushed HaveIBeenPwned to life was the Adobe breach in 2013. The Adobe breach had 153 million accounts compromised. 

As Troy does, he was analyzing data breaches for patterns. He realized this data was easy for him to get ahold of, but for the average person, it was unfeasible. Troy wanted the everyday person to be able to check if their data was in a breach, so he created HaveIBeenPwned. 

HaveIBeenPwned allowed anyone to check if their email address was ever in any breaches. If it was, they could take actions to secure their accounts again. Troy also added a way to check your passwords to see if they were in any breaches too. 

HaveIBeenPwned Controversy

There was a bit of controversy for HaveIBeenPwned during the Ashely Maddison Breach.

There were sites created overnight to check to see if your email was in this breach. Since Ashely Madison was for cheating spouses, it provided an easy way to check if your partner was using the site. 

HaveIBeenPwned got wrapped up in this but did all the right things. You had to verify you owned the email address before it would reveal if that email address was in the breach.

Other sites did not do this and outed many people. 

Due to the media wanting a fast headline HaveIBeenPwned got wrapped up in this. To be clear, HaveIBeenPwned did the right thing by not exposing sensitive data of this breach.

Who Uses HaveIBeenPwned

I feel it’s important to point out what companies use HaveIBeenPwned. Many of these companies have a lot to lose if HaveIBeenPwned was not trustworthy. 

HaveIBeenPwned has a way for other companies to use their database to check if customers login data was compromised. This is very useful for password managers and sign-up pages. 

1Password – https://blog.1password.com/finding-pwned-passwords-with–1password/

Bitwarden – https://blog.bitwarden.com/have-you-been-pwned–7051d64e685b

FireFox Web Browser – https://www.infosecurity-magazine.com/news/mozilla-pwned-function-firefox/

U.K. and Australian governments – https://techcrunch.com/2018/03/02/uk-and-australian-governments-now-use-have-i-been-pwned/

What Real People Are Saying

Being able to see what real people say about HaveIBeenPwned is worth a look at if you ask me. I’ve listed off a few Reddit post that helps to back up the claim that HaveIBeenPwned is safe to use. 

Is haveibeenpwned a legit page?

YSK: HaveIBeenPwned will tell you if your email address and passwords have ever been compromised, so change them right now if they have!

Have I been pwned? Check if your email has been compromised in a data breach

Firefox Monitor Lets You Know When You’ve Been Pwned: Mozilla teams up with Have I Been Pwned for hack-alert service.

PSA: Many Spotify accounts emails and passwords have been posted online in what appears to be a hack.

What Other Sites Are Saying

Let’s not forget what other sites say about HaveIBeenPwned. Spoiler: It’s all good things!

Digitaltrends – https://www.digitaltrends.com/computing/best-websites-for-finding-out-if-youve-been-hacked/

CNET – https://www.cnet.com/how-to/find-out-if-your-passwords-been-hacked/ 

dailymail.co.uk – https://www.dailymail.co.uk/sciencetech/article–4767562/Have-PWNED-Site-reveals-password-safe.html

makeuseof – https://www.makeuseof.com/tag/hacked-email-account-checking-tools-genuine-scam/

Forbes – https://www.forbes.com/sites/adamtanner/2014/04/14/these-sites-tell-which-of-your-accounts-have-been-hacked/#50d20e403763

PCWorld – https://www.pcworld.com/article/2070080/new-website-lets-users-check-if-their-online-credentials-were-exposed-in-large-data-leaks.html

How Does HaveIBeenPwned Make Money?

The old saying goes, “if you’re not paying for it, then you’re the product.” So how does HaveIBeenPwned make money?

The first way HaveIBeenPwned makes money is from donations. If you used his service in the past, please consider donating as it does help.

HaveIBeenPwned also has a partnership with 1Password.

1Password is a password manager, and it makes perfect sense to partner with HaveIBeenPwned. Troy Hunt says he used 1Password years before they ever became a partner.

It’s smart to partner with a password manager because it’s the next step to take after finding out you’ve been in a breach. 

I’m not aware of any other ways HaveIBeenPwned makes money. I know many people may be thinking that they’ll sell the information inside the database. While at first, that would seem like a great idea it’s not. The data that HaveIBeenPwned gets is already in the public domain anyway so anyone can grab it and do whatever they want with it. No need to sell data if you can get it free somewhere else.

Leave a Comment