Hunt, an Australian information security expert, has spent thousands of hours studying data breaches to understand what happened and who was at risk.<\/p>\n
![\"Troy](\"http:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2017\/05\/Troy-Hunt-Profile-Photo-600x600.jpeg\")
\u201cI kept finding the same accounts exposed over and over again, often with the same passwords, which then put the victims at further risk of their other accounts being compromised,\u201d Hunt said.<\/p>\n
He became concerned that everyday people were unaware of how big the problem was. In 2013 when an Adobe customer account breach put more than 150 million user names, email addresses, passwords and password hints at risk, Hunt launched his site. He runs it on a \u201cshoestring budget\u201d out of his own pocket, and his approach has been to keep it simple and keep it free.<\/p>\n
Business, unfortunately, has never been better.<\/p>\n
\u201cData breaches have increased dramatically<\/a> since I started, both in terms of frequency of the incidents and the scale as well.\u201d<\/p>\n He points to a handful of reasons. To start, people have more devices connected to the Internet every year, from phones<\/a> to refrigerators<\/a> to teddy bears<\/a>. With more connected devices and more accounts created with them, more data is being collected.<\/p>\n \u201cThe cloud is another thing that has exacerbated the whole problem because as awesome as it is for many things, it also makes it very cheap to stand up services, so we\u2019re seeing more services [with logins],\u201d he said. \u201cIt\u2019s also very cheap to store data, so we see organizations hoarding information. Companies like to have as much data as they can so they can market to people.\u201d<\/p>\n We\u2019re also entering the digital native<\/a> era, a time when more people are online who have never known a time when it was different.<\/p>\n \u201cTheir propensity for sharing information and their sensitivity toward their personal privacy is all very different than it is for those of us who reached adulthood before we had the Internet,\u201d he said.<\/p>\n All of this adds up to more information out there from a lot more sources. And not every company is doing a stellar job of protecting that information or destroying it when it\u2019s no longer needed, which makes it vulnerable.<\/p>\n \u201cThe reason we have these headlines everyday is because clearly we’re not taking security seriously enough,\u201d Hunt said. \u201cThe really big stuff — like your Twitter and your Facebook — is very solid these days, and the vast volume of our Internet behavior is on sites that have done a very good job. The problem is when you get to middle or lower tier sites where you’ve got a lot less funding, and you don’t have dedicated security teams.\u201d<\/p>\n \u201cPwned<\/a>,\u201d which rhymes with \u201cowned,\u201d is a slang term meaning your account has been utterly defeated, cracked and, yes, owned. Shortly after his site\u2019s launch, Hunt added a feature where one can sign up to be notified<\/a> if email address gets pwned in future data leaks. In February 2017, he hit one million subscribers. When Hunt started, he poked around in forums, dark web sites and even public web sites to find leaked data. What he discovered was fascinating.<\/p>\n \u201cThere is this whole scene where people share data breaches,\u201d he said. \u201cIt’s very often kids, young males, teenagers, who are hoarding data. They collect as much as they can, and they exchange it like they would baseball cards. Except unlike with baseball cards, when you exchange data, you still have the original as well.\u201d<\/p>\n Sometimes data is also sold. When the LinkedIn data breach occurred, it was traded for five bitcoins or several thousand U.S. dollars at the time. Hunt says the data is not typically used to break into the account from which it was hacked. Rather it\u2019s used in an attempt to break into other accounts, such as your bank or your email, which is often the best way to unlock an account. If you reuse passwords, you\u2019re putting yourself at risk.<\/p>\n Today, people get in touch with Hunt when they come across a data breach.<\/p>\n \u201cFortunately I have a reliable trustworthy network that sends me information and makes it a lot easier to maintain the service. It would be very hard for me to go out and source all of this myself.\u201d<\/p>\n Hunt takes great care when he learns of a data breach. His first step is to determine if it\u2019s legitimate.<\/p>\n \u201cA lot of the stuff out there is fake,\u201d he said. \u201cFor example there’s a lot of news at the moment about Spotify accounts, and these Spotify accounts are just reused names and passwords from other places. They weren’t hacked out of Spotify.\u201d<\/p>\n Once that box is checked, he reaches out to the company to alert them, which he says is a surprising challenge. Though he works hard to responsibly disclose the breaches to the companies affected, he has many stories of companies who ignore alerts that their customer data has been compromised. Finally, he loads the email accounts onto his site alongside those from MySpace, xBox 360, Badoo, Adobe, Elance and many more<\/a>.<\/p>\n Hunt also gives talks about information security to audiences around the world with the goal of getting more businesses and developers to approach projects with a defensive mentality. One of his sessions is a \u201cHack yourself first\u201d<\/a> workshop that shows developers how to break into their own work, giving them an opportunity to see offensive techniques first-hand.<\/p>\n \u201cThere’s like a lightbulb that goes off when people do get first-hand experience with that,\u201d he said. \u201cIt’s enormously powerful as a way of learning.\u201d<\/p>\n