Have I Been Pwned is looking for a new owner

Troy Hunt has revealed he’s looking for an acquirer for the breach notification service he set up more than five years ago — aka: Have I Been Pwned.

In a blog post discussing the future of the service, Hunt details how traffic to the site has exploded since January when he uploaded a massive 773M record list of breached emails and passwords that could be used for automated unauthorized logins (aka credential stuffing).

“The extra attention HIBP started getting in Jan never returned to 2018 levels, it just kept growing and growing,” he writes, saying he realized he was getting close to burn out trying to manage the service solo. Hence his decision to seek an acquirer.

HIBP has ridden a wave of growing concern about data breaches and Internet security, with Hunt taking the decision to accept a commercial sponsorship via a partnership with password manager firm 1Password last year.

Its growing profile has also led the service finding favor with governments wanting to monitor their own domains.

Sketching what he hopes to achieve with more resources behind HIBP, Troy writes: “Imagine a future where I’m able to source and process much more data, proactively reach out to impacted organisations, guide them through the process of handling the incident, ensure impacted individuals like you and me better understand our exposure (and what to do about it) and ultimately, reduce the impact of data breaches on organisations and consumers alike. And it goes much further than that too because there’s a lot more that can be done post-breach, especially to tackle attacks such as the huge rate of credential stuffing we’re seeing these days. I’m really happy with what HIBP has been able to do to date, but I’ve only scratched the surface of potential with it so far.”

At this stage Hunt says he’s met with KPMG’s M&A division to discuss the process of finding a new owner. Although he also says he intends to remain personally involved in the service.

“In meeting with the M&A folks, it quickly became apparent how much support I really needed,” he writes. “The most significant thing that comes to mind is that I’d never really taken the time just to step back and look at what HIBP actually does. That might sound odd, but as it’s grown organically over the years and I’ve built it out in response to a combination of what I think it should do and where the demand is, I’ve not taken the time to step back and look at the whole thing holistically. Nor have I taken enough time to look at what it could do… but there’s so much potential to do so much more and I really needed the support of people that specialise in finding the value in a business to help me see that.”

Hunt’s blog includes a list of “commitments for the future of HIBP” — including that he remains a part of it, and that “freely available consumer searches should remain freely available”. (Albeit ‘should’ is not the same as ‘will’.)

Other items on his wish list are more capabilities for the service; reaching a larger audience; playing a bigger role in changing consumer; greater support for organizations to use HIBP; and “more disclosure — and more data”.

“There’s a whole heap of organisations out there that don’t know they’ve been breached simply because I haven’t had the bandwidth to deal with it all,” he notes on the latter — a sentence that should send a chill up spines everywhere. 

There’s no named acquirer in the frame as yet, although Hunt sounds like he has a short-list — writing that there’s “a solid selection [of potential acquirer organizations] that are at the front of my mind” and “also a bunch that I have enormous respect for but are less well-equipped to help me achieve this”.

He also says he considered but dismissed taking VC to scale the service into a company himself — as it would inevitably amp up his responsibilities when he’s looking for a way to spread the load.

“As the process plays out, I’ll be working with KPMG to more clearly identify which organisations fit into the first category,” he goes on. “As I’m sure you can imagine, there are some very serious discussions to be had: where HIBP would fit into the organisation, how they’d help me achieve those bullet-pointed objectives above and frankly, whether it’s the right place for such a valuable service to go. There are also some major personal considerations for me including who I’d feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing. I’ll be honest – it’s equal parts daunting and exciting.”

A couple of commenters on the blog post ask Hunt whether he’s considered/approached Mozilla as a potential owner — and in a reply to one he writes: “Being a party that’s already dependent on HIBP, I reached out to them in advance of this blog post and have spoken with them. I can’t go into more detail than that just now, but certainly their use of the service is enormously important to me.”