Web Design & Web Development Company

Blog

TechCrunch

News & Media

TechCrunch

Black Lives Matter may be the largest movement in U.S. history, according to four different polls cited recently by the New York Times that suggest anywhere from 15 million to 26 million people in the U.S. have participated in demonstrations over the death of George Floyd and others since Floyd’s death in late May.

Blavity, a six-year-old, L.A.-based media company that’s focused on Black culture, could hardly be better positioned to help outraged Americans better understand what’s really been going on. Blavity founder Morgan DeBaun says the outfit receives at least a handful of videos each week that feature egregious acts against Black Americans, and the same has been true since DeBaun, working at the time at Intuit, founded the company in 2014 after unarmed, 18-year-old Michael Brown was gunned down by a police office in her native Missouri.

Blavity tells the stories that the mainstream media has largely been missing, but that’s only part of the story. The company has also become a go-to destination for a growing number of Black millennials interested in fresh takes on culture and politics; in Black Hollywood and travel (via two other properties it runs); and in its sizable networking events, one of which attracted 10,000 people last year.

Last week, we talked with DeBaun about Blavity — which has raised a comparatively conservative $11 million to date, including from GV, Comcast Ventures, and Plexo Capital — to learn more about how the company seizes this moment, and whether investors see the opportunity. Our chat has been edited for length and clarity (you can hear the full discussion here).

TC: You started Blavity in part to address a need you were feeling to connect with others after Michael Brown’s death. What were you reading at the time?

MD: The unfortunate answer is I wasn’t reading anything. I hadn’t really felt the need to stay connected to local or regional or Black issues until I moved out of my community and found myself wondering [from California], what is going on.

Historically in the Black community, we’ve had our own networks and platforms and brands: the African American newspapers in various cities, Essence, Jet, Ebony, and more recently, The Root. [But] a significant amount of media publications are still focused on entertainment and Hollywood and not necessarily on news. And so there was a huge gap of information that I felt wanting to understand.

This was before Twitter really became a source of information and truth for so many people, so there was a gap of information from what I saw happening on the ground in St. Louis and in text messages and as part of an email list with friends who were on the ground, and what I saw in the mainstream media. And to me, that was a huge miss, because we needed to be connected at that point more than ever so we could help impact change.

TC: There’s a lot of social injustice covered by Blavity. Two of the most popular stories on the site as we speak are about Sacramento police officer who placed a plastic bag on a 12-year-old’s head, and a cop who was arrested and charged after tasing a pregnant woman on her stomach. Are these stories central to making Blavity a resource to its readers?

MD: We tend to be a reflection of the pulse of the reality and the Black experience, and we do share stories and news that people might not find other places. I get the question more recently about: Does this time feel different? Are we covering different things? And unfortunately, the answer is that we’ve been covering these stories weekly since Michael Brown happened. It’s been a critical part of our publication and ethos to ensure that we’re sharing the stories of our community and bringing light to the injustices that are happening.

We also share joy and happiness and celebrations and moments of great accomplishments and local stories of heroes. But certainly right now, we’re making sure that we’re doing our diligence and covering the stories that are very important for this moment in time.

TC: You recently told Forbes that advertisers and marketers do not want to spend money next to Black death and violence. You have to cover these stories because it’s core to what you do, but it’s a double-edged sword for you, it sounds like.

MD: Blavity as an organization has five different brands. So we have a diversified revenue stream where we don’t just rely on display advertising against our news business, because if we did, we would wind up very much similar to what we’ve seen happen [to other struggling media companies]. There was a time when our Facebook page was even blocked because [stories] have gotten flagged as being too violent. And it’s like, well yeah, violence against Black bodies is real. It’s the truth; it’s real news.

So we do have this weird kind of balance that we strike in terms of really making sure that we’re telling the truth and that we are pushing back against our clients, our advertisers, and even Facebook to ensure that Blavity can continue to distribute content. But overall, the news business isn’t our highest revenue-generating business. It’s our conference business and our display ads business across all of our brands, some of which are lifestyle brands.

We also have an ad network that we don’t advertise publicly much, but essentially, we run ads and sales operations for other publishers of color who maybe don’t have the scale to necessarily have their own sales team and ad tech and engineers and things of that nature. We’re fighting for deals against a Vice or a Refinery 29 that also have ad networks, so we wanted to make sure that we could also win those deals and we needed that huge inventory and [that business has] allowed us the flexibility to reinvest [in the rest of the business].

TC: I understand that you’re also starting a paid-for membership-only professional network.

MD: We have an exciting announcement that’ll come out in a few weeks about a new platform that will specifically be a place for young Black professionals to come together to have discussions to learn; to get jobs, because that’s one of our core competencies through [our conference business]; but most importantly, to have discussions around the issues and topics that are trending and that matter. We already do daily conversations through Facebook Live and YouTube and Instagram Live. So we’re trying to build a place where we can have a more private space for those conversations that feels safe and also is a place where people can connect on a deeper level.

TC: Have you noticed a real change in Silicon Valley in the last month or so among investors? Are you seeing interest from firms that previously hadn’t reached out to you?

MD: There are a lot of VCs that perhaps are paying attention, but the bias is so deep that I don’t even think they know how to get out. It.

Have I seen more requests for conversations? Yes. Do I think that that’s going to result in more investments and wires and checks? No. I’m very skeptical of this kind of like performative ‘we care’ flag. The most important metric of success for VCs are returns on their investments. [Venture money] is not a donation; it’s not charity. [VCs look for companies that] meet the metrics of success. And my metrics may be different because I’ve been chronically underfunded despite how much we’ve done.

TC: Can you elaborate?

I think the argument that [later-stage] investors make is, ‘Well, there are just not that many Series A Series B companies to invest in. [But] there are enough companies to invest in, that have your revenue criteria and your goal criteria in terms of a potential exit, but that may not call themselves startups. They may look different. And so you need to do more work to go get them.

There are certainly a lot more people raising funds and having really success in terms of raising their first fund, or that are now on their second fund as a result of this [focus on diversity] and that’s very encouraging and that’s really going to help the seed- and early-stage founders.

I wish I was a founder right now who was raising a seed [round], because I could raise $10 million, there’s so much money going around.

TC: It’s incredible that you could be at a disadvantage because you’re now running a real business with multiple properties, particularly given the opportunity ahead. As you’ve mentioned in the past, there will be a majority minority population in this country in 10 years or so. Are you developing products for other communities, including the Afro-Latino community?

MD: We’ve thought a lot about the sub communities that have huge audiences, are growing quickly, but perhaps don’t have a space or a place to connect. And originally, one of our ideas was to build out our tech platform, then change the UI to accommodate all these [ideas] and become a true house with brands that serve people and communities on a niche level — so Gen Z, Black, LGBT,  Afro Latina, for the many Caribbean folks who are in the U.S. and Nigerian Americans; there are so many sub communities within the diaspora.

What we realized is that the overhead and operations of doing that over and over would not be a good idea and that we should figure out how to a build the operations side instead. That’s why we invested in our own ad network, because we can say, ‘Hey, creator in Brooklyn who’s amazing, you have a million monthly unique visitors, which is better than half the publications out there. You don’t have ad sales team. Let’s partner with each other.’ That was the first solution.

The second is this social networking platform that we’ve built. Part of the frustration and tension I felt when I started the company was feeling like there was no one like me. I couldn’t find other Black women who wanted to build a huge company and change the world and do it through tech. There was no one walking around Mountain View who looked like that, and I didn’t know where to go. We want to solve that through technology and through a platform that makes it easy for people to find each other. Hopefully then, once people are more connected, they can build their own companies and come up with their own organizations.

]]>

TechCrunch

News & Media

TechCrunch

Women start 40 percent of the businesses in the U.S., but they receive just 3% of venture funding. It doesn’t take a math whiz to recognize that such an extreme funding gap could spell opportunity, but it might help if you are math minded, a longtime investor, and happen to be woman and so conceivably understand certain products and pitches better than some men.

That was certainly the thinking of both Lori Cashman and Suzanne Norris, who came together in 2016 to form Boston-based Victress Capital, a consumer-focused, seed- and early-stage firm that just closed its second fund with nearly $22 million in funding to back gender diverse teams, meaning there is at least one woman on the founding team.

Cashman is a Duke grad who has spent her career as an investor, including previously cofounding a private equity firm, Linear Capital, to invest exclusively in owner-managed businesses. Norris, meanwhile, with two degrees Harvard, has been an investment banking analyst, a management consultant, and spent nearly four years as a VP focused on e-commerce with the company Kate Spade.

The two friendly acquaintances originally joined forces to enhance their “cognitive diversity,” says Cashman, scraping together a total of $2 million from friends and family so they could establish a track record.

Ultimately, they used that money to fund 14 startups by writing checks ranging from $100,000 to $150,000. A couple of them have already been acquired.

Moxxly, which sold silent, wearable breast pumps, was acquired by Medela, a leading breast pump maker, in 2017. Last summer, it was shut down, but Cashman and Norris suggest that investors (another of whom was Randi Zuckerberg) got their money back and that they were happy to see it acquired by what seemed at the time like a strong strategic partner. A second portfolio company, Werk, more recently sold to a Chicago-based startup called The Mom Project for undisclosed terms.

Others of their bets include Daily Harvest, a direct-to-consumer organic food delivery business that has so far raised $43 million from investors, according to Crunchbase; Mented Cosmetics, a cosmetics company catering to women with darker skin tones that has raised $4 million to date; and Copper Cow Coffee, a young L.A.-based startup that makes organic Vietnamese coffee and has raised $3 million.

The idea all along has been to raise a larger fund so that as Victress’s young portfolio matures, it can invest more into its breakout winners, as well as to fund other young startups. Toward that end, Victress — whose newest fund came largely came from family offices — has been adding to its team. In February, it brought in Kate Castle, a longtime marketing partner at Flybridge Capital Partners who later cofounded XFactor Ventures as a partner. In 2018, it also hired HBS alum Madeline Keulen, who previously interned with Victress and is now a vice president. (Because of Norris’s background and network, Victress receives some of its deal flow from Harvard and HBS and typically brings in HBS students as interns.)

It wasn’t easy assembling its team — or its new fund. Norris half-kiddingly calls $20 million “no man’s land” in the eyes of institutional investors. Though they are just now closing the vehicle, they began assembling checks for it in late 2018 and have already funded seven startups that represent 25% of their new investing capital.

Still, they’re playing the long game and think the relationship-building they’ve done will pay off — both with institutional investors that will be tracking this second fund with an eye toward its third, and with venture firms around the country with whom they’ve syndicated deals.

A big win would help grow the outfit from here, too, of course. Only time will tell if they’ll have one, but Norris and Cashman talk enthusiastically about numerous portfolio companies, including Minneapolis-based Rae, which is marketing libido-enhancing vitamins, among other vitamins. Rae sells its products directly to consumers but they’re also available at Target, a retail giant that, notably, has remained open throughout the pandemic.

Rae was able to secure such valuable real estate partly because its cofounder and CEO, Angie Tebbe, spent the previous 12 years as a senior director in merchandising at Target, where she oversaw the private label products in the chain’s beauty and wellness aisles. But Rae’s products are also priced affordably, with a 30-day supply of vitamins costing $14, compared with many alternatives that cost twice as much and more.

That’s partly what drew Victress to the company. Victress is focused on tech-enabled consumer services, marketplaces and digitally native brands. But if a startup in the last camp wants its attention, its products can’t be priced for the most affluent consumers with money to burn. With a growing number of people simply looking to make ends meet, Victress is far more interested in startups that aim to sell at an “authentic, accessible price point for the majority of America,” says Cashman.

]]>

TechCrunch

News & Media

TechCrunch

When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?

Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard ‘p’ — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it’s grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt’s original question is more clear.

“Empirically, it’s very likely,” Hunt told me from his home on Australia’s Gold Coast. “For those of us that have been on the internet for a while it’s almost a certainty.”

What started out as Hunt’s pet project to learn the basics of Microsoft’s cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals’ curiosity.

As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the site’s running costs.

But Have I Been Pwned’s success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.

As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.

Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.

‘Mother of all breaches’

Even long before Have I Been Pwned, Hunt was no stranger to data breaches.

By 2011, he had cultivated a reputation for collecting and dissecting small — for the time — data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a user’s other online accounts.

Then came the Adobe breach, the “mother of all breaches” as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.

Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a person’s email address, which Hunt saw as the most common denominator across all the sets of breached data.

And Have I Been Pwned was born.

It didn’t take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users — enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internet’s history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.

As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.

Hunt takes a “what do I think makes sense” approach to handling other people’s breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.

His decision to only let users search for their email address makes logical sense, driven by the site’s only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.

In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.

The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved people’s sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)

Hunt diverged from his usual approach, acutely aware of its sensitivities. The breach was undeniably different. He recounted a story of one person who told him how their local church posted a list of the names of everyone in the town who was in the data breach.

“It’s clearly casting a moral judgment,” he said, referring to the breach. “I don’t want Have I Been Pwned to enable that.”

Unlike earlier, less sensitive breaches, Hunt decided that he would not allow anyone to search for the data. Instead, he purpose-built a new feature allowing users who had verified their email addresses to see if they were in more sensitive breaches.

“The purposes for people being in that data breach were so much more nuanced than what anyone ever thought,” Hunt said. One user told him he was in there after a painful break-up and had since remarried but was labeled later as an adulterer. Another said she created an account to catch her husband, suspected of cheating, in the act.

“There is a point at which being publicly searchable poses an unreasonable risk to people, and I make a judgment call on that,” he explained.

The Ashely Madison breach reinforced his view on keeping as little data as possible. Hunt frequently fields emails from data breach victims asking for their data, but he declines every time.

“It really would not have served my purpose to load all of the personal data into Have I Been Pwned and let people look up their phone numbers, their sexualities, or whatever was exposed in various data breaches,” said Hunt.

“If Have I Been Pwned gets pwned, it’s just email addresses,” he said. “I don’t want that to happen, but it’s a very different situation if, say, there were passwords.”

But those remaining passwords haven’t gone to waste. Hunt also lets users search more than half a billion standalone passwords, allowing users to search to see if any of their passwords have also landed in Have I Been Pwned.

Anyone — even tech companies — can access that trove of Pwned Passwords, he calls it. Browser makers and password managers, like Mozilla and 1Password, have baked-in access to Pwned Passwords to help prevent users from using a previously breached and vulnerable password. Western governments, including the U.K. and Australia, also rely on Have I Been Pwned to monitor for breached government credentials, which Hunt also offers for free.

“It’s enormously validating,” he said. “Governments, for the most part, are trying to do things to keep countries and individuals safe — working under extreme duress and they don’t get paid much,” he said.

“There have been similar services that have popped up. They’ve been for-profit — and they’ve been indicted.”
Troy Hunt

Hunt recognizes that Have I Been Pwned, as much as openness and transparency is core to its operation, lives in an online purgatory under which any other circumstances — especially in a commercial enterprise — he would be drowning in regulatory hurdles and red tape. And while the companies whose data Hunt loads into his database would probably prefer otherwise, Hunt told me he has never received a legal threat for running the service.

“I’d like to think that Have I Been Pwned is at the far-legitimate side of things,” he said.

Others who have tried to replicate the success of Have I Been Pwned haven’t been as lucky.

“There have been similar services that have popped up,” said Hunt. “They’ve been for-profit — and they’ve been indicted,” he said.

LeakedSource was, for a time, one of the largest sellers of breach data on the web. I know, because my reporting broke some of their biggest gets: music streaming service Last.fm, adult dating site AdultFriendFinder, and Russian internet giant Rambler.ru to name a few. But what caught the attention of federal authorities was that LeakedSource, whose operator later pleaded guilty to charges related to trafficking identity theft information, indiscriminately sold access to anyone else’s breach data.

“There is a very legitimate case to be made for a service to give people access to their data at a price.”

Hunt said he would “sleep perfectly fine” charging users a fee to access their data. “I just wouldn’t want to be accountable for it if it goes wrong,” he said.

Project Svalbard

Five years into Have I Been Pwned, Hunt could feel the burnout coming.

“I could see a point where I would be if I didn’t change something,” he told me. “It really felt like for the sustainability of the project, something had to change.”

He said he went from spending a fraction of his time on the project to well over half. Aside from juggling the day-to-day — collecting, organizing, deduplicating and uploading vast troves of breached data — Hunt was responsible for the entirety of the site’s back office upkeep — its billing and taxes — on top of his own.

The plan to sell Have I Been Pwned was codenamed Project Svalbard, named after the Norweigian seed vault that Hunt likened Have I Been Pwned to, a massive stockpile of “something valuable for the betterment of humanity,” he wrote announcing the sale in June 2019. It would be no easy task.

Hunt said the sale was to secure the future of the service. It was also a decision that would have to secure his own. “They’re not buying Have I Been Pwned, they’re buying me,” said Hunt. “Without me, there’s just no deal.” In his blog post, Hunt spoke of his wish to build out the service and reach a larger audience. But, he told me, it was not about the money

As its sole custodian, Hunt said that as long as someone kept paying the bills, Have I Been Pwned would live on. “But there was no survivorship model to it,” he admitted. “I’m just one person doing this.”

By selling Have I Been Pwned, the goal was a more sustainable model that took the pressure off him, and, he joked, the site wouldn’t collapse if he got eaten by a shark, an occupational hazard for living in Australia.

But chief above all, the buyer had to be the perfect fit.

Hunt met with dozens of potential buyers, and many in Silicon Valley. He knew what the buyer would look like, but he didn’t yet have a name. Hunt wanted to ensure that whomever bought Have I Been Pwned upheld its reputation.

“Imagine a company that had no respect for personal data and was just going to abuse the crap out of it,” he said. “What does that do for me?” Some potential buyers were driven by profits. Hunt said any profits were “ancillary.” Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.

Hunt was looking for a buyer with whom he knew Have I Been Pwned would be safe if he were no longer involved. “It was always about a multiyear plan to try and transfer the confidence and trust people have in me to some other organizations,” he said.

Hunt testifies to the House Energy Subcommittee on Capitol Hill in Washington, Thursday, Nov. 30, 2017. (AP Photo/Carolyn Kaster)

The vetting process and due diligence was “insane,” said Hunt. “Things just drew out and drew out,” he said. The process went on for months. Hunt spoke candidly about the stress of the year. “I separated from my wife early last year around about the same time as the [sale process],” he said. They later divorced. “You can imagine going through this at the same time as the separation,” he said. “It was enormously stressful.”

Then, almost a year later, Hunt announced the sale was off. Barred from discussing specifics thanks to non-disclosure agreements, Hunt wrote in a blog post that the buyer, whom he was set on signing with, made an unexpected change to their business model that “made the deal infeasible.”

“It came as a surprise to everyone when it didn’t go through,” he told me. It was the end of the road.

Looking back, Hunt maintains it was “the right thing” to walk away. But the process left him back at square one without a buyer and personally down hundreds of thousands in legal fees.

After a bruising year for his future and his personal life, Hunt took time to recoup, clambering for a normal schedule after an exhausting year. Then the coronavirus hit. Australia fared lightly in the pandemic by international standards, lifting its lockdown after a brief quarantine.

Hunt said he will keep running Have I Been Pwned. It wasn’t the outcome he wanted or expected, but Hunt said he has no immediate plans for another sale. For now it’s “business as usual,” he said.

In June alone, Hunt loaded over 102 million records into Have I Been Pwned’s database. Relatively speaking, it was a quiet month.

“We’ve lost control of our data as individuals,” he said. But not even Hunt is immune. At close to 10 billion records, Hunt has been ‘pwned’ more than 20 times, he said.

Earlier this year Hunt loaded a massive trove of email addresses from a marketing database — dubbed ‘Lead Hunter’ — some 68 million records fed into Have I Been Pwned. Hunt said someone had scraped a ton of publicly available web domain record data and repurposed it as a massive spam database. But someone left that spam database on a public server, without a password, for anyone to find. Someone did, and passed the data to Hunt. Like any other breach, he took the data, loaded it in Have I Been Pwned, and sent out email notifications to the millions who have subscribed.

“Job done,” he said. “And then I got an email from Have I Been Pwned saying I’d been pwned.”

He laughed. “It still surprises me the places that I turn up.”

Related stories:

]]>

TechCrunch

News & Media

TechCrunch

When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?

Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard ‘p’ — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it’s grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt’s original question is more clear.

“Empirically, it’s very likely,” Hunt told me from his home on Australia’s Gold Coast. “For those of us that have been on the internet for a while it’s almost a certainty.”

What started out as Hunt’s pet project to learn the basics of Microsoft’s cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals’ curiosity.

As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the site’s running costs.

But Have I Been Pwned’s success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.

As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.

Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.

‘Mother of all breaches’

Even long before Have I Been Pwned, Hunt was no stranger to data breaches.

By 2011, he had cultivated a reputation for collecting and dissecting small — for the time — data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a user’s other online accounts.

Then came the Adobe breach, the “mother of all breaches” as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.

Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a person’s email address, which Hunt saw as the most common denominator across all the sets of breached data.

And Have I Been Pwned was born.

It didn’t take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users — enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internet’s history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.

As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.

Hunt takes a “what do I think makes sense” approach to handling other people’s breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.

His decision to only let users search for their email address makes logical sense, driven by the site’s only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.

In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.

The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved people’s sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)

Hunt diverged from his usual approach, acutely aware of its sensitivities. The breach was undeniably different. He recounted a story of one person who told him how their local church posted a list of the names of everyone in the town who was in the data breach.

“It’s clearly casting a moral judgment,” he said, referring to the breach. “I don’t want Have I Been Pwned to enable that.”

Unlike earlier, less sensitive breaches, Hunt decided that he would not allow anyone to search for the data. Instead, he purpose-built a new feature allowing users who had verified their email addresses to see if they were in more sensitive breaches.

“The purposes for people being in that data breach were so much more nuanced than what anyone ever thought,” Hunt said. One user told him he was in there after a painful break-up and had since remarried but was labeled later as an adulterer. Another said she created an account to catch her husband, suspected of cheating, in the act.

“There is a point at which being publicly searchable poses an unreasonable risk to people, and I make a judgment call on that,” he explained.

The Ashely Madison breach reinforced his view on keeping as little data as possible. Hunt frequently fields emails from data breach victims asking for their data, but he declines every time.

“It really would not have served my purpose to load all of the personal data into Have I Been Pwned and let people look up their phone numbers, their sexualities, or whatever was exposed in various data breaches,” said Hunt.

“If Have I Been Pwned gets pwned, it’s just email addresses,” he said. “I don’t want that to happen, but it’s a very different situation if, say, there were passwords.”

But those remaining passwords haven’t gone to waste. Hunt also lets users search more than half a billion standalone passwords, allowing users to search to see if any of their passwords have also landed in Have I Been Pwned.

Anyone — even tech companies — can access that trove of Pwned Passwords, he calls it. Browser makers and password managers, like Mozilla and 1Password, have baked-in access to Pwned Passwords to help prevent users from using a previously breached and vulnerable password. Western governments, including the U.K. and Australia, also rely on Have I Been Pwned to monitor for breached government credentials, which Hunt also offers for free.

“It’s enormously validating,” he said. “Governments, for the most part, are trying to do things to keep countries and individuals safe — working under extreme duress and they don’t get paid much,” he said.

“There have been similar services that have popped up. They’ve been for-profit — and they’ve been indicted.”
Troy Hunt

Hunt recognizes that Have I Been Pwned, as much as openness and transparency is core to its operation, lives in an online purgatory under which any other circumstances — especially in a commercial enterprise — he would be drowning in regulatory hurdles and red tape. And while the companies whose data Hunt loads into his database would probably prefer otherwise, Hunt told me he has never received a legal threat for running the service.

“I’d like to think that Have I Been Pwned is at the far-legitimate side of things,” he said.

Others who have tried to replicate the success of Have I Been Pwned haven’t been as lucky.

“There have been similar services that have popped up,” said Hunt. “They’ve been for-profit — and they’ve been indicted,” he said.

LeakedSource was, for a time, one of the largest sellers of breach data on the web. I know, because my reporting broke some of their biggest gets: music streaming service Last.fm, adult dating site AdultFriendFinder, and Russian internet giant Rambler.ru to name a few. But what caught the attention of federal authorities was that LeakedSource, whose operator later pleaded guilty to charges related to trafficking identity theft information, indiscriminately sold access to anyone else’s breach data.

“There is a very legitimate case to be made for a service to give people access to their data at a price.”

Hunt said he would “sleep perfectly fine” charging users a fee to access their data. “I just wouldn’t want to be accountable for it if it goes wrong,” he said.

Project Svalbard

Five years into Have I Been Pwned, Hunt could feel the burnout coming.

“I could see a point where I would be if I didn’t change something,” he told me. “It really felt like for the sustainability of the project, something had to change.”

He said he went from spending a fraction of his time on the project to well over half. Aside from juggling the day-to-day — collecting, organizing, deduplicating and uploading vast troves of breached data — Hunt was responsible for the entirety of the site’s back office upkeep — its billing and taxes — on top of his own.

The plan to sell Have I Been Pwned was codenamed Project Svalbard, named after the Norweigian seed vault that Hunt likened Have I Been Pwned to, a massive stockpile of “something valuable for the betterment of humanity,” he wrote announcing the sale in June 2019. It would be no easy task.

Hunt said the sale was to secure the future of the service. It was also a decision that would have to secure his own. “They’re not buying Have I Been Pwned, they’re buying me,” said Hunt. “Without me, there’s just no deal.” In his blog post, Hunt spoke of his wish to build out the service and reach a larger audience. But, he told me, it was not about the money

As its sole custodian, Hunt said that as long as someone kept paying the bills, Have I Been Pwned would live on. “But there was no survivorship model to it,” he admitted. “I’m just one person doing this.”

By selling Have I Been Pwned, the goal was a more sustainable model that took the pressure off him, and, he joked, the site wouldn’t collapse if he got eaten by a shark, an occupational hazard for living in Australia.

But chief above all, the buyer had to be the perfect fit.

Hunt met with dozens of potential buyers, and many in Silicon Valley. He knew what the buyer would look like, but he didn’t yet have a name. Hunt wanted to ensure that whomever bought Have I Been Pwned upheld its reputation.

“Imagine a company that had no respect for personal data and was just going to abuse the crap out of it,” he said. “What does that do for me?” Some potential buyers were driven by profits. Hunt said any profits were “ancillary.” Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.

Hunt was looking for a buyer with whom he knew Have I Been Pwned would be safe if he were no longer involved. “It was always about a multiyear plan to try and transfer the confidence and trust people have in me to some other organizations,” he said.

Hunt testifies to the House Energy Subcommittee on Capitol Hill in Washington, Thursday, Nov. 30, 2017. (AP Photo/Carolyn Kaster)

The vetting process and due diligence was “insane,” said Hunt. “Things just drew out and drew out,” he said. The process went on for months. Hunt spoke candidly about the stress of the year. “I separated from my wife early last year around about the same time as the [sale process],” he said. They later divorced. “You can imagine going through this at the same time as the separation,” he said. “It was enormously stressful.”

Then, almost a year later, Hunt announced the sale was off. Barred from discussing specifics thanks to non-disclosure agreements, Hunt wrote in a blog post that the buyer, whom he was set on signing with, made an unexpected change to their business model that “made the deal infeasible.”

“It came as a surprise to everyone when it didn’t go through,” he told me. It was the end of the road.

Looking back, Hunt maintains it was “the right thing” to walk away. But the process left him back at square one without a buyer and personally down hundreds of thousands in legal fees.

After a bruising year for his future and his personal life, Hunt took time to recoup, clambering for a normal schedule after an exhausting year. Then the coronavirus hit. Australia fared lightly in the pandemic by international standards, lifting its lockdown after a brief quarantine.

Hunt said he will keep running Have I Been Pwned. It wasn’t the outcome he wanted or expected, but Hunt said he has no immediate plans for another sale. For now it’s “business as usual,” he said.

In June alone, Hunt loaded over 102 million records into Have I Been Pwned’s database. Relatively speaking, it was a quiet month.

“We’ve lost control of our data as individuals,” he said. But not even Hunt is immune. At close to 10 billion records, Hunt has been ‘pwned’ more than 20 times, he said.

Earlier this year Hunt loaded a massive trove of email addresses from a marketing database — dubbed ‘Lead Hunter’ — some 68 million records fed into Have I Been Pwned. Hunt said someone had scraped a ton of publicly available web domain record data and repurposed it as a massive spam database. But someone left that spam database on a public server, without a password, for anyone to find. Someone did, and passed the data to Hunt. Like any other breach, he took the data, loaded it in Have I Been Pwned, and sent out email notifications to the millions who have subscribed.

“Job done,” he said. “And then I got an email from Have I Been Pwned saying I’d been pwned.”

He laughed. “It still surprises me the places that I turn up.”

Related stories:

]]>

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
Click outside to hide the comparison bar
Compare