Troy Hunt, the security expert who handles the breach notification website Have I Been Pwned, announced late last week that he is ready to make the code behind the site available in open source.
Have I Been Pwned allows users to verify whether their emails or passwords have been exposed as part of a data breach and has become the place to go for information when massive data breach dumps become public.
Over the past couple of years, the site’s popularity has increased after an API that allows for the fast search of compromised account data from third-party products and services started being integrated into browser extensions, applications, mobile software, notification websites, and the like, including Firefox and LastPass.
Hunt now says that the time has come for the project to evolve into open source, especially given the fact that community contributions to Have I Been Pwned have increased significantly recently.
“Every single byte of data that’s been loaded into the system in recent years has come from someone who freely offered it in order to improve the security landscape for everyone. Many of the services that HIBP runs on are provided free by the likes of Cloudflare,” Hunt says.
He also notes that the community has contributed to the code behind the website as well, either through the use of publicly available content or through direct support for the project.
“The philosophy of HIBP has always been to support the community, now I want the community to help support HIBP. Open sourcing the code base is the most obvious way to do this. It takes the nuts and bolts of HIBP and puts them in the hands of people who can help sustain the service regardless of what happens to me,” Hunt says.
The move to make the code open source would also addresses concerns regarding the manner in which the service runs (such as the fact that it does not log any of the searches), while helping identify people who can help the project evolve, he notes.
Hunt also points out that the process of moving to open source isn’t an easy one, and that the transition will take some time, with support from people who understand what needs to be done, but no timeframe for when the process will be completed has been provided.
“Then there’s the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent,” he also says.
Related: BlackBerry Releases Open Source Reverse Engineering Tool
Related: Apple Releases Open Source Password Manager Resources
Related: IBM Releases Open Source Toolkits for Processing Data While Encrypted

More from Ionut Arghire
- Xenomorph Android Banking Trojan Targeting Users in US, Canada
- $200 Million in Cryptocurrency Stolen in Mixin Network Hack
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
Latest News
- The CISO Carousel and its Effect on Enterprise Cybersecurity
- Xenomorph Android Banking Trojan Targeting Users in US, Canada
- $200 Million in Cryptocurrency Stolen in Mixin Network Hack
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- City of Dallas Details Ransomware Attack Impact, Costs
- In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
