In April, the US Federal Bureau of Investigation found itself with a rather radioactive bounty on its hands.
FBI agents had seized the stolen credentials for 80 million accounts from a notorious darknet marketplace, many of which would already have been bought, sold and traded between criminals.
But, as it planned physical raids on the website’s operators, the FBI had to figure out how to alert these victims to the danger they were in.
The owners of these accounts were at serious risk of identity fraud, but who wants to receive an email from the FBI?
Instead, they gave Troy Hunt a call.
“We email backwards and forwards. Sometimes we talk on the phone,” says Troy casually. “It’s just a strange sign of the times.”
Over the course of a few days leading up to the raid, Troy and the FBI agreed on a plan to use Troy’s data breach notification service, Have I Been Pwned.
As the operation played out, the FBI transferred the bare minimum details of the 80 million compromised accounts to Troy’s server.
Then, on the appointed day, the darknet marketplace’s website was replaced by an FBI take-down notice. In the centre of the page, alongside the logos of 14 international law enforcement agencies, was the advice to visit Have I Been Pwned “to determine if you have been victimized”.
On the face of it, Have I Been Pwned was an unconventional choice — and not just because of its name.
Troy Hunt has no employees and manages all of the technical and operational aspects of Have I Been Pwned single-handedly. And until his wife Charlotte took over the administrative side last year, Troy had been doing that part as well.
The FBI was placing a whole lot of trust in this one guy on the Gold Coast.
It poses a serious question — why?
www.abc.net.au
