For the last several years, Have I Been Pwned has proven a valuable way to determine whether your email address is connected to a wide number of data breaches. Following a failed acquisition process, Troy Hunt, the man behind the project, has decided to open-source the Have I Been Pwned code base to help it last.
“The single most important objective of [the mergers and acquisitions] process was to seek a more sustainable future for HIBP and that desire hasn't changed; the project cannot be solely dependent on me,” he wrote in a blog post. “Yet that's where we are today and if I disappear, HIBP quickly withers and dies.” As such, he’s calling on others to support the service, and believes that “open sourcing the code base is the most obvious way to do this.”
Hunt noted there were a few reasons for this, including the prevalence of open source projects and the fact Have I Been Pwned has always been “open in spirit.” On a practical level, it’ll enable others to fix bugs and implement ideas that he’s not necessarily able to.
It’ll take some time to fully open up the code base, and Hunt plans to do so gradually. “The transition from completely closed to completely open will happen incrementally, bit by bit and in a fashion that's both manageable and responsible,” he wrote.
It’s a complex process, especially when you consider the highly sensitive troves of data that make Have I Been Pwned an important service. While much of that data is already in the wild, Hunt said he needed to ensure “privacy controls prevail across the breach data itself even as the code base becomes more transparent.”
Some other services, particularly password managers, also help people monitor whether their data or credentials have been included in a breach. Still, Have I Been Pwned is perhaps the best-known such resource, allowing people to search find out whether their email address is among billions of records from hundreds of data breaches. Taking steps to ensure it’ll remain available in the long run is a welcome move on Hunt’s part.