author photo
By Bruce Sussman
Tue | Jun 11, 2019 | 8:41 AM PDT

The tweet went out to the universe at 1:37 a.m.

It was December 4, 2013, and cybersecurity researcher Troy Hunt was up late to launch his new website called Have I Been Pwned?

His launch tweet received 58 likes:


Fast forward to May of this year, and Troy Hunt tweeted an update on the website's traffic. There are several million requests each day by people and companies around the world who want to know: have I been pwned?



What started as a cybersecurity side project gets regular mentions now in mainstream media. Global web traffic has followed.

Have I Been Pwned is up for sale

HaveIbeenpwned?, as you are probably aware, is the website where you can search to see if any of your accounts have been compromised in a data breach.

At the time of this publication, it housed an incredible database of 7,859,520,210 pwned accounts. That's more than 7 billion (with a B) compromised accounts. This is actually part of the problem:

"And to date, every line of code, every configuration and every breached record has been handled by me alone. There is no 'HIBP team,' there’s one guy keeping the whole thing afloat," writes Hunt in his post on selling the site and its data.

This isn't just a workload issue either; I was becoming increasingly conscious of the fact that I was the single point of failure. And that needs to change."

And that change, Hunt says, is to sell his project.

He also says the idea of hiring a team to run the site is not appealing to him because he believes it would increase the responsibility and pressure he is trying to reduce.

7 things Troy Hunt wants to do by selling

At the same time, however, he clearly has bigger dreams for the website and its data which new ownership might make possible. Here are seven things he wants to accomplish through the sale of HIPB:

  1. Freely available consumer searches should remain freely available. 
  2. "I'll remain a part of HIBP."
  3. "I want to build out much, much more capabilities wise."
  4. "I want to reach a much larger audience than I do at present."
  5. There's much more that can be done to change consumer behavior. 
  6. Organizations can benefit much more from HIBP.
  7. There should be more disclosure—and more data.
In the meantime, there will likely be a number of suitors going after this kind of data traffic and what it represents. 

"As I'm sure you can imagine," Hunt writes, "there are some very serious discussions to be had: where HIBP would fit into the organisation, how they'd help me achieve those bullet-pointed objectives above and frankly, whether it's the right place for such a valuable service to go."

Troy Hunt using consulting firm to sell HIBP

Hunt says he's using KMPG's M&A folks to help with the sale of have I been pwned. This already forced him to do something unexpected:

"One of the first tasks was to come up with a project name for the acquisition because apparently, that's what you do with these things."

He's named it Project Svalbard. Hard to say, he says, just like pwned. And Svalbard is a massive repository of seeds up in the Arctic Circle, not terribly unlike the repository of data breach records he holds.

Plus, it's a Norwegian name, and that was the country where he delivered his first international speech on cybersecurity. 

The timing of Have I Been Pwned sale

Should we worry about the future of all the data living at Is this an emergency liquidation? Is Hunt broke and needing to cash out right away?

All signs point to no.

"I've made this decision at a time where I have complete control of the process. I'm not under any duress (not beyond the high workload, that is) and I've got time to let the acquisition search play out organically and allow it to find the best possible match for the project.

And as I've always done with HIBP, I'm proceeding with complete transparency by detailing that process here. I'm really conscious of the trust that people have put in me with this service and every single day I'm reminded of the responsibility that brings with it."

We are thankful that Troy Hunt takes that responsibility seriously.

And we are sure his announcement—and how it developswill be a topic of conversation during networking breaks at SecureWorld this summer and fall

Visit Hunt's website to read his complete blog post on the decision to sell HIBP. You will learn additional insights about Hunt, the project, and his aspirations for where it could go from here.