‘I Didn’t Expect it to Get So Big”: Interview With Have I Been Pwned? Creator Troy Hunt

Why Trust Techopedia

Have I Been Pwned lets you identify whether your email address has been compromised in any data breaches — and millions of internet users have cybersecurity expert Troy Hunt to thank for letting them know they are at risk of being exploited.

Even if you consider yourself tech-savvy and try to ensure your personal information is protected, it only takes a data breach at an online retailer to get your personal details out there.

Have I Been Pwned” lets you identify whether your email address has been compromised in any data breaches, enabling you to secure your accounts promptly. The site also offers a notification service for new breaches, allowing you to check your passwords against a database of known compromised passwords.

Troy Hunt’s brainchild provides valuable insights into the frequency and scale of data breaches, encouraging better online security practices to help you protect your personal information.

So Techopedia sat down with Hunt to discuss the origins of Have I Been Pwned, how the website works, his plans for the future of the site, what individuals can do to protect their personal information, and more.

About Troy Hunt

Troy Hunt

Troy Hunt is an Australian security researcher and founder of the data breach notification service Have I Been Pwned? Hunt has a background in software development specializing in information security, and is a regular conference speaker and trainer.


He regularly appears in the media, works with government and law enforcement agencies, and has appeared before U.S. Congress as an expert witness testifying on the impact of data breaches. Hunt regularly blogs at troyhunt.com from his home on the Gold Coast.

Hunt is an information security author and instructor at Pluralsight. Since 2011, Hunt has been a Microsoft Most Valuable Professional, specializing in developer security and technologies.

Since 2016, he’s also been a Microsoft Regional Director, a title awarded to “the world’s top technology visionaries for their proven cross-platform technical expertise, community leadership, and commitment to business results.”

Key Takeaways

  • Have I Been Pwned lets you identify whether your email address has been compromised in any data breaches.
  • The best way to protect your personal information is to use a password manager.
  • The most common misconception about cybersecurity is thinking that you’re not a target because you’re just a normal, everyday person.
  • To help make data breaches less damaging, don’t reuse passwords on multiple sites.

What is Have I Been Pwned?

Q: How does Have I Been Pwned work?

A: Have I Been Pwned is a breach aggregation and search service. When there’s a data breach, and the data is distributed, usually publicly, I aggregate it in one location.

Then I notify people who have asked to be told when they’re seen in the data breach, and I make it searchable so they can figure out how far they’ve been exposed.

Q: How does the website work?

A: It’s just email addresses that are aggregated into the search service. You only need an email address to search. An email address is a little bit like the key to your digital life because that’s usually the thing you leave pretty much on every website that you sign up to.

So all people need to do is enter an email address, and then the system searches through the repository of more than 13 billion breached records that are currently in the system.

Q: When did you build the site and why?

A: It was very much a pet project that I started in 2013, in part to build a data breach service, and in part because I just wanted to write some code and build a bit of a project.

I didn’t expect it to get popular. I didn’t expect it to get as big and as well-known as it is.

It was really there just to help people try and understand how far their data had been exposed because my belief at the time — and one that has been proven to be true over the years — is that most people don’t know just how many data breaches there are daily.

The Future of Have I Been Pwned

Q: What has happened to the website over the years? Why did it get so popular?

A: I think it got popular because it’s a very simple concept. It’s just literally a search box. You put your email address in, and it comes back and tells you something interesting.

It’s also popular because people are shocked at how far their personal information has been exposed.

It also got very popular because it’s a service that targets everybody. You don’t have to be a technology person or a cybersecurity person.

My parents use it; my kids use it. It’s relevant to anyone with an email address. And because of that it got picked up by the mainstream media very quickly.

Q: Do you have any plans for the future site?

A: A lot of the work at the moment is around making sure that something that was just a personal pet project is something that can succeed me, as it’s very dependent on me at the moment.

Now that it’s become such a fabric of the Internet, we want to make sure that it’s more sustainable beyond just me — whether I have an accident, or I’m no longer interested in running it one day, or when none of us is going to be here.

I want to ensure that the thing has some sustainability. That doesn’t sound very exciting. But that’s kind of one of the first steps.

And beyond that, I’d really just like to give people more insights into the breadth of data about them that has been exposed and the impact it has on them. And I’ve got a few little ideas around that. But most of what I’m doing at the moment is just making it sustainable as it needs other people to support it.

Right now, it’s just my wife, Charlotte, and myself. But what we need are other people that are able to write code and are able to maintain the cloud services.

But the difficulty we have is that for something that’s a pet project that we deliberately wanted to keep small and personal, to make it viable in the long term, it needs some other people. And we do have some plans for that. But it’s a difficult thing, letting go of your baby.

Shortly after this interview Hunt announced that he had hired the site’s first full-time, production-ready employee, Stefán Jökull Sigurðarson. “This is both a massive commitment on Charlotte’s and my part and a leap of faith on Stefán’s,” Hunt said in his announcement.

How To Protect Your Personal Information

Q: What are the best ways for people to protect their personal information?

A: The number one thing you can do is use a password manager because a password manager helps you create strong, unique passwords on every website. So if you were in a data breach the password that was exposed was only useful on the site that was breached. And it was a very strong password because it was a randomly generated set of letters and numbers, so your risk is isolated just to that one service.

That is the absolute number one thing, followed by things like using multi-factor authentication. Don’t just have a username and password. We’ve also got universal two-factor, security keys, such as YubiKeys, they’re a great way of solving the problem too.

So anything that doesn’t just use the same password on every service is a massive step forward.

Q: What is the most common misconception about cybersecurity?

A: I think probably the most common misconception is thinking that you’re not a target because you’re too small or you’re just a normal, everyday person. Everyone is a target if you’re online. We all have different levels of risk and different levels of impact; however, every single person is a target just by virtue of being online.

Minimizing the Damage

Q: Is there any way we can prevent data breaches?

A: No, not as individuals. A lot of the work that I do is around cybersecurity training and education.

So if we’re trying to prevent it by patching the vulnerabilities, we’re avoiding the vulnerabilities that lead to cybercrime in the first place.

But as an individual, you really have no idea when you go to a website how that data is being stored, or if it’s being backed up to somewhere publicly facing, or if there’s a weak administrator password.

We have no idea, so we can’t prevent it from happening. All we can do is lessen the impact.

Q: What can we as individuals do to help make data breaches less damaging?

A: There’s a combination of things. We can certainly do things like not reuse passwords because that means that being breached in one place might get cybercriminals into somewhere else.

Using multifactor authentication, minimizing the amount of data that we provide to third parties to only what is necessary to actually perform the task of whatever it is you’re there for.

You don’t need to provide your date of birth to buy a T-shirt. That’s about the extent of what we have within our control.


Related Reading

Related Terms

Linda Rosencrance
Technology journalist
Linda Rosencrance
Technology journalist

Linda Rosencrance is a freelance writer and editor based in the Boston area, with expertise ranging from AI and machine learning to cybersecurity and DevOps. She has been covering IT topics since 1999 as an investigative reporter working for several newspapers in the Boston metro area. Before joining Techopedia in 2022, her articles have appeared in TechTarget, MSDynamicsworld.com, TechBeacon, IoT World Today, Computerworld, CIO magazine, and many other publications. She also writes white papers, case studies, ebooks, and blog posts for many corporate clients, interviewing key players, including CIOs, CISOs, and other C-suite execs.