►
From YouTube: .NET Foundation Project Spotlight - Have I Been Pwned?
Description
.NET Foundation Marketing Committee member Isaac Levin spoke to Troy Hunt, the maintainer of Have I Been Pwned?. For more detail, be sure to check out the Project Spotlight page
https://dotnetfoundation.org/projects/spotlight?project=have%20i%20been%20pwned?
A
Welcome
everybody
to
another
edition
of
the.net
foundation,
project
spotlight
where
we
talk
about
great
projects
in
the
dining
ecosystem
and
how
people
can
help
contribute
to
them.
So
I'm
super
excited
for
my
guest.
Today
my
guest
is
troy
hunt.
Founder
of
have
I
been
pwned
troy,
you
want
to
say
hello,
introduce
yourself.
B
A
Sure
sure,
well
for
people
that
might
not
know
about
haven't
been
phoned.
You
want
to
talk
just
a
little
bit
briefly
about
you
know
what
it
is
and
how
dot
net
developers
can
tune
into
it
and
see
some
of
the
things
that
you're
doing
there.
B
Yeah,
look
for
the
most
part,
it's
pretty
simple:
it's
a
data,
breach,
aggregation
service
and
there's,
there's
really
two
parts.
One
part
is
there's
a
lot
of
email
addresses
in
there
about
11.5
billion
email
addresses
from
previous
data
breaches
and
you
go
to
the
front
page.
Have
it
been
paying
and
you
put
your
email
address
in
and
it's
like
yeah
you've
been
phoned.
A
B
600
something
million
passwords
from
previous
data
breaches
that
other
organizations
then
refer
to
as
essentially
like
a
disallow
list.
It's
like
these
are
passwords
that
are
known,
bad
they're
breached
and
that
sits
behind
an
anonymity
api
that
gets
hit
almost
a
billion
times
a
month
at
the
moment,
so
that
that's
what
we've
rolled
out
and
open
sourced
into
the
net
foundation.
A
That's
great,
I
think
the
first
thing
that
people
are
probably
curious
about
whenever
they
get
an
opportunity
to
chat
with.
You
is
like
why
like
why?
What
what
was
it
that
was
about
breaches
in
particular
that
got
you
so
interested
in
it,
and
obviously,
with
your
security
background,
your
technology
background,
you
were
probably
like
well,
I
could
probably
fill
a
gap
here.
B
Well,
to
be
honest,
it
was
it
was
equal
parts,
two
different
things,
so
part
of
it
was.
I
wanted
to
build
a
data
reach
notification
service
because
I
thought
it
was
interesting
for
people
to
see
where
their
data
had
been
exposed,
and
this
was
just
after
the
adobe
data
breach
in
2013,
and
my
data
was
in
there
twice
and
I
was
kind
of
surprised
by
that-
was
it
in
there
twice,
because
it
was
like
my
personal
address
and
my
work
address
and
I'm
like.
Why
does
adobe
have
my
data?
B
I
was
sure
I
never
gave
adobe
my
data
and
then
it's
like
oh
yeah,
but
I
was
a
big
dreamweaver
user,
so
I
gave
macromedia
my
data
and
then
adobe
bought
macromedia
and
then
my
data
flowed
and
it's
ended
up
in
these
places.
I
never
expected
to.
I
reckon
that's
interesting.
Maybe
other
people
do
so
that
was
part
of
it
and
then
the
other
part
of
it
in
in
all
honesty,
was
I
just
wanted
to
build
some
stuff
on
the
cloud
so
yeah
yeah
I
was.
I
was
working
for
pfizer
at
the
time.
B
Everyone
knows
who
pfizer
was
now
we
used
to
have
to
go.
You
know
viagra
yeah.
We
make
vagrant
anyway,
so
coming
the
vaccine
company.
Now
we
know
them
as
and
I
was
making
a
really
big
push
to
try
and
get
us
into
into
the
cloud
and
particularly
into
paths.
I
really
really
want
to
push
the
paz
bandwagon
and
azure.
It
was
just
sort
of
at
that
point
for
americans,
that's
azure,
microsoft
cloud.
It
was
just
at
the
point
where
there
was
enough
sort
of
maturity
to
have
some
some
really
good
platform
offerings.
B
A
Here
we
are
yeah.
That's
that's
really
interesting.
I
think
one
of
the
things
that
really
resonates
is
that
you
just
want
to
build
something
right,
so
I
think
one
of
the
things
that's
really
interesting
when
people
talk
about
like
starting
up
like
an
idea
right,
the
first
thing
they
probably
think
about
is
like
well
other
people
use
this
idea
right
after,
like
you
get
to
a
proof
of
concept
right,
you
did
to
solve
a
problem
for
yourself.
How
quickly
did
you
figure
out?
B
A
Yeah,
I
I
imagine
that
was
a
very
interesting
moment
for
you
right
when
oh,
like
look
mom,
I'm
on
cnn,
like
I
imagine
that
your
life,
I
don't
want
to
say
your
life
change
overnight,
because
that's
cliche,
but
it
was
one
of
those
things
probably
where
like
oh.
This
is
probably
something
that
I
just
can't
it's
not
something
that
just
I
can
just
put
away
really
easily
right
something
that
people
actually
pay
attention
to,
and
you
know
you
mentioned,
you
know
millions
upon
millions
upon
millions
and
billions
of
requests
a
month
right
like
it's
yeah.
A
B
Basically
wanted
to
do
hello
world
on
the
cloud,
but
actually
be
useful
right.
So
I
wanted
to
build
something
that
that
would
serve
a
purpose,
and
I
thought
what
would
be
fun
is
to
sort
of
push.
I
thought
it
was
going
to
push
table
storage,
putting
155
million
records
and,
of
course,
now
there's
there's.
B
What
do
we
have
a
hundred
times
that
and
and
so
far
touchwood
it's
actually
running
quite
well,
but
the
bit
that
I
didn't
expect
in
terms
of
like
pushing
boundaries
was
was
seeing
traffic
and
and
the
traffic
was
actually
really
interesting
because
it
wasn't
just
like
large
amounts
of
traffic.
It's
the
way
traffic
ramps
up
and
and
and
then
backs
off,
and
I
was
I
was
so
excited
about
things
like
auto
scales.
This
is
so
cool.
B
It's
like
when
I
need
more
platform,
I'm
just
gonna
get
more
platform
and
then,
when
I
need
less
platform,
get
less
platform,
and
I
had
not
thought
through
many
of
the
things
that
would
later
happen,
such
as
it
could
be
on
like
prime
time
british
tv
sunday
night,
and
it's
really
interesting
when
you're
on
tv,
because
it
wasn't
me,
but
it
was
the
service.
B
Obviously,
because
you've
got
let's,
let's
say
it's
millions
of
british
people
sitting
around
in
their
lounge
rooms,
drinking
the
tea
and
it's
on
the
tv
and
everyone,
like
picks
up
their
device
at
the
same
time
and
enters
the
url
at
the
same
time.
It's
not
like
it's
in
a
link
somewhere
in
a
story
and
people
gradually
come
across
a
story
and
they
read
at
different
rates
and
they
get
down
to
there
and
your
traffic
ramps
up.
B
It's
just
like
traffic
traffic
traffic
bam
straight
like
that
and
and
stuff
stops
working
yeah
in
a
in
a
pass
world.
The
way
I
had
it
configured
at
the
time,
so
this
actually
gave
me
like
lots
of
cool
opportunities
to
go
all
right.
Well,
how
do
we
architect
this
thing?
So
that
not
only
so
that
it
can
deal
with
that,
but
so
that
I
can
still
run
the
service
for
free.
A
As
well
yeah,
I
imagine
that
there's
an
opportunity
probably-
and
I
don't
know
how
much
of
a
masochist
you
are,
but
you
could
probably
take
a
snapshot
of
those
requests
in,
like
you
know
the
point
in
time
where
you
became
famous
right
like
because
it's
flat
flat
flat
and
then
this
huge
spike
like
I'd,
imagine
that
being
like
a
picture
frame
that
goes
on
a
wall
somewhere
and
people
like
hey.
What's
that
it's
like!
Oh,
that's
the
time
that
I
got
famous.
A
B
Actually
got
a
pretty
good
idea
of
when
it
it's
not
ever
been
sort
of
consistent,
which
is
part
of
the
the
interesting
thing,
but
in
january
2019
yeah
here
it
is
so
january.
2019
is
the
point
that's
at
a
hundred.
Actually,
no,
this
is
interesting.
Why
is
this?
I
need
a
longer
period
of
time,
it's
only
over
the
last
year,
but
january
2014.
I
knew
was
kind
of
really
really
crazy,
because
I
loaded
this
like
massive
700,
something
million
record
credential
stuffing
list.
Now
that
is
the
biggest
spike
yep.
B
A
Yeah
and
one
of
the
things
I
think
it's
it's
super
interesting,
especially
with
how
I've
been
pwned,
is
that
it's
not
just
it.
It
originally
was
just
you
coming
up
with
the
hello
world
and
the
cloud
surf
concept,
but
I
think
very,
very
quickly.
Like
you
know,
government
entities
took
a
look
at
and
said:
oh,
we
could.
We
could
leverage
this
in
a
positive
way.
So
how
was
that
experience
like
when
you
know
governments
across
the
world
are
reaching
out
he's
like
hey,
so
your
data?
Can
we
like
use
it.
B
Well,
it
was.
It
was
really
interesting
that
the
the
first
sort
of
government
relationship
and
just
to
quantify
this
there's
22
relationships
with
different
governments
around
the
world
at
the
moment,
and
these
are
giving
the
government's
api
level
access
to
query
all
of
their
government
domains.
So
often,
there's
like
an
allow
list
based
on
a
tld
so
star.gov.iu,
for
example-
and
this
came
about
because
I
was
in
in
london-
doing
doing
a
user
group
one
time
and
it
was.
It
was
massive.
B
This
is
what
skills
matter
in
london
a
couple
hundred
people
there
and,
like
I
do
my
talk
and
then
people
are
asking
questions
and
someone
asked
me
a
question
about
government,
and
this
was,
I
think,
like
snowden.
Memories
were
still
really
fresh,
and
this
guy's,
like
isn't
the
government
just
always
out
there,
trying
to
get
you
they're,
trying
to
screw
you
with
your
data
and
I'm
like,
like
no
they're,
actually
doing
really
really
cool
things
and
everyone
I've
met
in
government
has
been
super
awesome.
B
They
paid
a
fraction
of
what
they
would
be
anywhere
else,
but
they're
trying
to
make
a
difference
to
the
world
and
every
single
person
someone
you'll
actually
be
with
so
then
someone
from
the
ncsc,
the
national
cyber
security
center
came
up
to
me
afterwards
and
he's
like
thanks
man
like
you,
just
don't
get
enough
love
and-
and
we
sort
of
struck
up
this
relationship
and
started
having
this
discussion
about.
Well,
would
this
data
be
useful
and,
and
he
sort
of
said,
yeah,
but
look
it's
really.
It's
really
hard
to
get
paperwork
through
government.
B
It's
really
hard
to
get
money
from
government
how's
that
I'll
fix
that
no
paperwork
and
just
have
it
for
free
and
that
will
be
fine
and
and
now
I'm
actually
literally
maintaining
a
little
black
book
of
every
government.
I've
got
that
is
on
the
list
yet
to
come.
This
is
my
australian
cyber
security
center
book.
So
there's
a
a
pipeline
in
here,
so
I've
knocked
off
trinidad
and
tobago
dominican
republic,
finland,
belgium,
paraguay
and
uruguay.
I
got
both
the
guys,
which
is
good
and
and
we
just
keep
working
through
governments
and
it's
it.
B
A
Yeah,
that's
I
mean
that's,
it's
really
really
crazy
to
think
about
that,
like
you
actually
have
a
list
of
like
governments
that
you
want
to
interact
with
to
like
help,
you
know
broaden
their
security
paradigms,
which
I
think
is
awesome.
I
want
to
kind
of
pivot
a
little
bit
to
you
know
your
experience
as
somebody
who's
recently
open
sourced
something
like
this
right
like
what
has
been
the
general
like
community
feedback.
You
know,
obviously,
before
it
became
open
source.
A
lot
of
people
knew
about
it.
B
B
Are
always
good
now
I
announced
the
intention
to
open
source
in
august
last
year,
and
then
it
took
us
until
when
was
it
probably
may
this
year
was
about
a
month
ago,
so
it
took
quite
some
time
and
I
I
think
that
what
has
been
interesting
is
to
just
sort
of
separate
the
the
public
perception
and
the
expectations
of
open
source
with
the
reality
of
it,
and
what
I
mean
by
that
is
that
when
I
announce
it
in
august,
I
think
a
lot
of
people
like
oh
cool.
B
So
now
you
just
basically
make
the
repo
public
and
and
job
done,
it's
like
no,
no,
no.
First
of
all,
it's
only
ever
been
me.
Writing
it,
and
I
know
I've
put
stuff
in
in
that
code
base
that
I
shouldn't
have.
You
know
it's
in
revision
histories
and
things,
so
I've
got
to
have
like
a
clean
version
of
that
also.
B
So
I
was
worried
about
that
and
fortunately,
after
I
did
open
source
and-
and
it
is
a
very
discreet-
finite,
manageable
piece
of
code-
there
were
a
bunch
of
pr's
which
was
great
and
a
bunch
of
them
came
from
a
friend
of
mine,
who
was
one
of
the
first
adopters
of
haverbeam
phone's,
pawn
passwords
into
eve
online,
the
massive
online
multiplayer
game.
So
this
guy
had
years
of
history,
we've
had
beers
together
around
the
world.
He's
someone
I
knew
and
trusted,
and
I
was
like.
B
Can
I
give
you
the
keys,
and
you
know
you
can
start
being
a
little
bit
responsible
for
accepting
prs
and
that's
helped
a
lot.
So
I
was
really
hoping
to
have
people
from
the
community
sort
of
step
up
and
want
to
not
just
contribute
code.
But
I
guess
start
to
ship
at
the
direction
that
it
goes
as
well.
And
I
hope.
A
That
there's
more
of
that
moving
forward
as
well.
That's
great,
I
think,
also
one
thing
that's
really
interesting
with
that.
Is
that,
like
you
mentioned
something
that
I
find
is,
is
very
compelling,
like
you
meant
like
it's
it
like
your
app,
isn't
something
like
groundbreaking
right.
A
It's
like
it's
not
going
to
turn
the
world
upside
down
by,
like
it's,
not
sophisticated
algorithms,
you're
not
going
to
make
millions
and
millions
of
dollars
like
with
like
the
tech
itself,
but
like
the
implementation
is
simple
enough
that
people
can
help
contribute
to,
even
though,
at
the
end
of
the
day,
people
see
security
and
they're
like.
Oh,
I
don't
know
like
security,
might
be
a
bit
terrifying.
A
I'd
like
to
get
your
thoughts
too,
like
you
know,
obviously,
now
that
it's
open
source
and
people
can
contribute
to
it,
and
you
mentioned
something
that
I
think
is
very
interesting
about
stepping
away
not
sipping
away
per
se,
but,
like
troy,
doesn't
scale
very
well
long
term
burn
for
an
open
source
right.
So,
like
you
know,
what
are
your
thoughts
about?
You
know
bringing
on
co-contributors
like
our
co-maintainers
to
your
project
and
you
know,
having
like
the
ecosystem
grow.
That
way.
B
Sorry,
I
need
a
succession
plan,
not
just
the
sharks
but
the
jet
ski
I'm
not
sure
which
one's
more
dangerous
but
anyway,
so
there
needs
to
be
survivorship
for
the
service
for
the
service
as
a
whole
and
at
the
moment,
obviously
we're
just
looking
at
this
prone
passwords
bit
and
what
I
like
about
the
idea
of
of
open
sourcing,
not
just
the
code
but
for
phone
passwords.
We
could
actually
open
source
the
data.
In
fact,
the
data
was
already
open
source.
All
the
data
already
published
out
there
anyway.
B
So
what
I
like
about
this
is
that
not
only
can
people
just
like
pick
it
up
and
run
their
own,
but
people
can
also
use
the
online
service.
They
can
use
the
apis
as
they
stand,
use
the
anonymity
model
with
the
confidence
that,
if
I
do
have
a
shark
related
incident,
they
can
turn
around
on
the
spot.
Take
all
the
code
take
all
the
data.
Maybe
they
have
to
invest
a
few
days
worth
it
or
something,
but
then
stand
up
their
own
implementation.
B
So
I
think
it's
really
important
that,
in
order
for
the
service
to
grow,
people
have
confidence
of
its
longevity,
and
ultimately
this
has
always
sort
of
been
the
goal
right
like
that,
the
best
possible
thing
we
can
do
post
data
breaches
is
make
this
data
as
broadly
available
as
possible
for
the
right
purposes
and
whatever
road
leads
us
in
that
direction.
Like
that's
the
one
to
follow.
A
Yeah,
I
mean,
I
think,
it's
pretty
clear,
right
you're
not
in
this
to
make
a
bunch
of
money
you're
in
this
to
amplify
potential
opportunities
where
people
can
kind
of
get
hooked
right
like.
I
think,
that's
something!
That's
really
really
impactful
right.
It's
not
like
you're,
not
selling
a
service,
you're
you're,
giving
away
the
access
for
people
to
be
able
to
do
things
on
their
own
right.
B
Yeah
yeah
and
look
that's
that's.
That's
always
been
the
first
priority
and,
as
I
said
publicly
many
times
before,
there
are
parts
that
haven't
been
paying
people
pay
for
and
there's
one
password
product
placement
there
so
that
I
do
earn
from
that.
But
particularly
the
prime
passwords
bits
there.
There
is
no
channel
by
which
that
earns
any
money
whatsoever.
Unless
it's
like
someone
pops
up
and
says
I
really
like
you
paying
passwords,
can
you
come
and
speak
at
our
commercial
conference
for
us
and
talk
to
us
yeah?
B
B
A
So
one
of
the
things
I
think,
as
we're
wrapping
up
that
I
think
is
really
impactful
is
like
say,
for
instance,
I'm
a
dot-net
developer
and
maybe
I've
been
using
the
service
for
a
bit.
I
go
to
highlight
and
phone.com
all
the
time,
and
I
I
want
to
feel
I
want
to
get
a
better
understanding
of
the
work
that
you've
done
and
maybe
contribute
like
what
are
the
best
ways
for
folks
to
do
that.
B
Well
there
there
is,
I
have
a
vampire
repository
at
github.com.
I
managed
to
rescue
back
that
repository
from
someone
who's
squatting
on
it,
which
is.
I
was
actually
very
happy
about
that.
So
anyway,
you
can
go
there.
That's
got
there's
actually
three
repositories
in
there.
So
there's
there's
the
havo
bean,
pined
phone
passwords,
azure
function
and
the
storage
implementation
there
there's
another
repository.
That's
got
all
the
cloudflare
workers,
so
there's
some
really
really
cool
stuff
that
happens
on
the
edge
and
and
for
the
super
nerdy
folks.
B
A
B
A
So
again,
troy.
I
want
to
thank
you
so
much
for
hopping
on
chatting
with
us
about.
You
know
the
having
the
opponent
project
and
the
fact
that's
part
of
the
dominant
foundation.
Do
you
have
any
closing
words
or
anything
additionally,
you'd
like
to
say.
B
No
look,
I
mean
other
than
to
thank
everyone.
Who's
actually
been
contributing
to
to
it,
because
there's
a
lot
of
people
that
have
contributed.
If
not
code,
then
they've
contributed
data
that
they've
found
floating
around
the
place
or
just
just
given
it
air
time
and
giving
it
exposure.
And
you
know
that's
that's
made
it
what
it
is
today.
It
would
be
nothing
if
it
was
just
me
sitting
here
in
isolation
doing
it.
So
it's
always
been
a
community
effort
and
I'm
glad
that
that
code
is
now
there
in
the
community
as
well.
Awesome.
A
Well
again,
kroy.
Thank
you
so
much
for
hopping
on
and
chatting
with
us
for
the
folks
checking
out.
So
the
project
spotlight
page
is
going
to
have
a
ton
of
information
about
having
been
pwned
and
how
you
can
give
back
or
just
learn
more.
So
that's
everything
for
me.
Thank
you.
Everybody
enjoy
the
rest
of
your
day.