The official Have I Been Pwned (HIBP) website has just undergone a significant redesign, marking its biggest update in years. If you do not know what that is, Have I Been Pwned is the go-to service, created by security researcher Troy Hunt, that allows anyone to quickly check if their email address or phone number has been compromised in known data breaches.
Fun(?) fact, its creator Troy Hunt had an 'oops' moment himself, getting phished and having his blog's Mailchimp mailing list nicked back in March this year. This new website, the result of work that began with its first public code commit in February 2023 and saw a soft launch of the new brand in March 2024, is now fully live, offering a refreshed experience and a host of new features.
The last time we reported on HIBP was back in 2021, when the service received a substantial password boost from collaborations with law enforcement agencies such as the FBI and the UK's National Crime Agency. Those partnerships poured millions of compromised passwords found during criminal investigations into the "Pwned Passwords" feature.
One of the most noticeable changes is to the main search function. Hunt’s team has injected a bit of levity; users who search an email and find no breaches are now greeted with celebratory confetti:
If your email has been pwned, the results are presented on a scrollable timeline in reverse chronological order, clearly summarizing each breach. However, direct username and phone number searches have been removed from the website's front page to reduce confusion and support overhead, as these data types were only ever loaded for two specific incidents and are harder to parse reliably compared to email addresses; these search types remain supported via the API to avoid breaking existing integrations.
Each data breach now has its own dedicated page, displaying information more clearly and offering targeted advice on what actions to take. Future plans for these pages include more specific guidance, such as highlighting if a breached service supports two-factor authentication or passkeys, and even incorporating localized data breach advice by partnering with national cybersecurity centers.
A new unified dashboard now centralizes features that require email verification, like checking sensitive breaches, managing API keys, viewing stealer logs, and accessing the much-improved domain search feature, which is now a snappier single-page application with enhanced filtering.
Under the hood, Hunt detailed "The Nerdy Bits," confirming that the service still runs on Microsoft Azure, using App Service, serverless Functions, SQL Azure, and storage accounts, primarily with C# and .NET 9.0. The frontend is built with Bootstrap, SASS, and TypeScript. It also makes extensive use of Cloudflare, now relying exclusively on Cloudflare's Turnstile for anti-automation, having dropped Google's reCAPTCHA entirely. Hunt emphasized the importance of Turnstile in preventing bot abuse without placing unnecessary burdens on legitimate users.
Hunt also shared that AI, particularly ChatGPT, played a significant role in the rebuild, assisting with numerous coding and configuration tasks, especially during the project's final crunch time.
Source and images: Troy Hunt
1 Comment - Add comment