Skip to content

Have I Been Pwned goes open source, collaborates with FBI

  • by
  • 3 min read

Popular data breach website, Have I Been Pwned, is going open source via the .Net Foundation, owner Troy Hunt announced on Friday. Hunt also revealed details about a collaboration between the FBI and HIBP.

The announcement came at a time when HIBP sees significant growth. The site hit 926.92 million requests last month, inching ever closer to the billion mark, as stated by Troy in a tweet on Thursday. 

In the News: Twitter Spaces comes to web browsers but users can’t yet host there

Going open-source with .NET

The announcement to make the site open source had already come from Troy in August 2020. After his initial announcement, Claire Novotny, executive director of the .NET Foundation — independent 501(c) non-profit organisation — reached out to him and offered support. 

According to Troy, HIBP’s existing dependency on the Microsoft stack makes the framework a ‘perfect fit’. Its use of a simple codebase, own domain, Cloudflare account and Azure services all combine to make the entire process easier. The fact that the data that drives HIBP is already available in the public domain simply adds up to the convenience. 

Speaking of natural fits, Pwned Passwords is perfect for this model, and that’s why we’re starting here. There are a number of reasons for this:

1. It’s a very simple codebase consisting of Azure Storage, a single Azure Function and a Cloudflare worker.

2. It has its own domain, Cloudflare account and Azure services, so it can easily be picked up and open-sourced independently to the rest of HIBP.

3. It’s entirely non-commercial without any API costs or Enterprise services like other parts of HIBP (I want community efforts to remain in the community).

4. The data that drives Pwned Passwords is already freely available in the public domain via the downloadable hash sets.

Verbatim via Troy Hunt: Pwned Passwords, Open Source in the .NET Foundation and Working with the FBI

Troy hopes that this will ultimately bring wider adoption of the service due to both the transparency that comes with making the codebase open source and the fact that people make have their own instances of the service, giving them fallback options. 

In the News: Samsung Galaxy Tab S7 FE 5G and Galaxy Tab A7 Lite: Price, Release Date, Specs

FBI to feed passwords into HIBP

It’s no surprise that the FBI is involved in numerous digital investigations, regularly coming across compromised passwords used by criminals. According to Troy, the FBI reached out to him looking for a way to get these passwords on HIBP and getting them out in the public domain. 

According to Bryan A. Vorndran, Assistant Director of the Cyber Division at FBI, “We are excited to be partnering with HIBP on this important project to protect victims of online credential theft. It is another example of how important public/private partnerships are in the fight against cybercrime.”

Pwned Passwords goes open source, collaborates with FBI
FBI’s Flag at its HQ, J. Edgar Hoover Building, Washington

The passwords will be fed into the HIBP system and made available by the bureau. Obviously, the volume and frequency of this will largely depend on the currently ongoing cyber investigations. The data provided will be in SHA-1 and NTLM hash pairs which, according to Troy,” aligns perfectly to the current storage constructs in Pwned Passwords”.

In the News: Acer announces four new Chromebooks: Price, Release Date, Features

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: