We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

Have I Been Pwned’s Password Program Is Now Open Source, Accepting Data from FBI

an image of the Have I Been Pwned website.
Have I Been Pwned

Nearly a year ago, the data breach tracking platform Have I Been Pwned (HIBP) announced plans to become an open source project. The first step in that transition is now complete—HIBP’s Pwned Passwords code is open source and available on GitHub. The change provides transparency for HIBP, and oddly enough, opens the door to contributions from the FBI.

Have I Been Pwned keeps track of data breaches and collects stolen data, allowing people to check if their email addresses or passwords have been compromised. Now that HIBP is open-sourcing its Pwned Passwords code, it can accept contributions from the FBI and other organizations that may have insight into data breaches and cybercriminal activity.

In other words, the FBI isn’t meddling with HIBP’s code. It’s just giving data to HIBP in the form of secure SHA-1 and NTLM hash pairs (not plaintext). Bryan A. Vorndran, Assistant Director of the Bureau’s Cyber Division, states that the FBI is “excited to be partnering with HIBP on this important project to protect victims of online credential theft.”

But why start with the Pwned Passwords code? According to HIBP founder Troy Hunt, open-sourcing Pwned Passwords was just the easiest place to start. Pwned Passwords is basically independent from the rest of HIBP with its own domain, CloudFlare account, and Azure services. Plus, it’s non-commercial, and its data is already available to the public in downloadable hash sets.

Hunt hopes that open-sourcing Pwned Passwords will provide greater transparency for the HIBP service and allow people to wrap their own Pwned Passwords tools. It’s a big change from 2019, when Hunt considered selling HIBP.

You can find the Pwned Passwords code on GitHub licensed under the BSD-3 Clause. The open-sourcing process is still ongoing, and Hunt is asking people in the open source community to help HIBP develop an ingestion pipeline for contributors like the FBI.

Source: Have I Been Pwned via ZDNet

Andrew Heinzman Andrew Heinzman
Andrew is the News Editor for Review Geek, where he covers breaking stories and manages the news team. He joined Life Savvy Media as a freelance writer in 2018 and has experience in a number of topics, including mobile hardware, audio, and IoT. Read Full Bio »