Was confused whilst doing my live stream just now why there was a sudden spike in DB usage on @haveibeenpwned. Turns out it was related to *dropping* this constraint: ALTER TABLE [dbo].[Domain] ADD CONSTRAINT [CHK_DomainName_Pattern] CHECK (([dbo].[IsDomainValid]([DomainName])=(1)))

Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon.

https://twitter.com/jwdomb/status/1844123760720548040

Looks like someone compromised a polyfill JS file on a subdomain to inject the alert, but that doesn't explain the root site being down

https://x.com/sappliingg/status/1844135313733775366

This was a very uncomfortable breach to process for reasons that should be obvious from @josephfcox's article. Let me add some more "colour" based on what I found:

https://twitter.com/haveibeenpwned/status/1843780415175438817

Ostensibly, the service enables you to create an AI "companion" (which, based on the data, is almost always a "girlfriend"), by describing how you'd like them to appear and behave:

Another cool little @Cloudflare thing that snuck out recently is this very simple security.txt creator: It's a simple form-based configuration that takes the basics of a security.txt file in the following interface:

Our Aussie Cyber Security Act is going to be interesting to watch unfold not just in it's initial form, but as it evolves over the years. IMHO, great steps forward, but let's look at those arguments *against* it abc.net.au/news/2024-07-3… "Business groups say the new disclosure rules, and the proposed $15,000 fines for failures to disclose a payment, could sink some small operators." - you only get fined if you don't disclose, so... don't hide the breach!

Something super weird happening right now: just been called by several totally different media outlets in the last few minutes, all with Windows machines suddenly BSoD’ing (Blue Screen of Death). Anyone else seen this? Seems to be entering recovery mode: The issue is worldwide: dailymail.co.uk/news/article-1…

Let's start with what should be obvious: any infosec story that includes a headline about "largest", "greatest", "worst", or similar superlatives should be regarded with suspicion right from the outset. That said, let's delve into this one: cybernews.com/security/rocky… Firstly to the title - "RockYou". This harks back a decade and a half to a 2009 data breach that exposed 34M records. It was particularly noteworthy as the passwords were in plain text: en.wikipedia.org/wiki/RockYou

A thread on this because the more I looked into it, the more I wanted to say about it:

https://twitter.com/haveibeenpwned/status/1794489234403037253

Firstly, this has come after @zackwhittaker's article which boils down to "it's stalkerware and it has appeared in a bunch of hotels it maybe shouldn't have and we know this because it has vulns disclosing what's captured and the company isn't responding" techcrunch.com/2024/05/22/spy…

So this is an interesting one for several reasons. Firstly, the defacement which was obviously designed to antagonise a conservative media company. Maybe someone with an axe to grind, but definitely evidence of breach.

https://twitter.com/haveibeenpwned/status/1788752687389147557

Then there are the 3 different classes of data set published at the bottom of the defacement, let's go through each by file name:

Alright folks, this is starting to smell like bullshit. Not the alleged breach (which smells bad for reasons I'll explain in a moment), but the "AI" line from both Europcar and the PR agency that just emailed me pitching someone's hot take on it. Here's why:

https://twitter.com/BleepinComputer/status/1752460897031684343

Firstly on the legitimacy of the data, a bunch of things don't add up. The most obvious one is that the email addresses and usernames bear no resemblance to the corresponding people names. For example:

We often receive comments to the effect of “we want to purchase a @haveibeenpwned subscription but our company doesn’t allow us to use a credit card”. What is the financial reason behind this?

This is a very small portion compared to those that *do* pay by card, but why is this? To add to this, having spent 14 years at Pfizer I’d see policies like this all the time. But it’s also not like there was a blanket ban: try going on a business trip and asking the person at the noodle shop you’re having lunch at to raise an invoice on 60 day terms 🤣

Let me add some more context to the Dymocks breach, starting with giving them a massive pat on the back for responding so quickly. It was less than 48 hours ago between me contacting someone there via LinkedIn and them having sent disclosure emails to customers. Massive kudos!

https://twitter.com/haveibeenpwned/status/1700054245192417566

What's not as clear from the story is the extent to which the data was already circulating before I was able to get in touch with them. Multiple Telegram channels and a popular *clear web* (not dark web) forum were broadly circulating the data.

Crikey Miele 🤦‍♂️ Ah, so that’s why. Up until 10 minutes ago…

Had a weird thing happen with @AzureApiMgmt that caused the public @haveibeenpwned API to start getting laggy, especially around 1 week ago. It went from ~220ms response times 90 days ago to over 1 second up until yesterday. Scaled out an instance and now we're down to ~70ms. This is despite very consistent performance of the underlying @AzureFunctions app. Something started gradually going south at the APIM level and I'm continuing to look at that with the team there.

Ok folks, here’s the next edition of “Troy’s IoT Hell” 👿

Recently I had to make a call between buying the older Yale Assure locks sold locally here in Aus or the newer one only sold in the US. This was for 2 locks, one for the front door and one for the front (undercover) gate.

https://twitter.com/troyhunt/status/1657900036024602625

I went with the newer ones from the US as they were smaller, looked a lot neater, support Matter (with a coming add on module) and only took a few days for shipping. They look *great*!

Got an unexplainable Azure Function problem which I suspect will have an obvious answer once I start explaining it to other people, so here goes: I have a function with a queue trigger that makes an outbound HTTP call after the queue item is picked up. I can place messages in the queue and see them disappearing moments later, but the outbound call never gets sent.

So @Charlotte_Hunt_ is selling a fridge on Gumtree and immediately starts getting messages like this. The first one gets a bit of “no, we can discuss here” and they disappear. This one… gets a burner address to see how weird shit gets. What’s the angle? There’s always an angle… 🍿

This is interesting reading regarding the .zip TLD. However, it's of near zero consequence to phishing attacks, read it first then I'll explain: medium.com/@bobbyrsec/the… Read it? Good, here's the problem: let's start with the opening para which asserts that you can't quickly tell which URL is legit due to the .zip TLD. That's true, you can't. But which URL in the second image is the real Google blog site?

A couple of quick pieces of commentary now then I'll do some deeper analysis later on: Firstly, the 98% "pwned before" rate clearly indicates the email addresses were taken from other data breaches then used to query the vulnerable API.

https://twitter.com/haveibeenpwned/status/1611109572550471680

Later on today, I'll run a sample set of the data and see if there's any obvious patterns as to where this data come from, but I suspect it'll be credential stuffing lists such as Collection #1.

And now, for my next project: More bits:

What’s the driving force behind many infosec people jumping from Twitter? Unhappy with Elon’s cuts? Or who he’s letting back into the platform? A genuine belief he’s driving it into the ground? Other? Everything seems normal from here, why the exodus? Nothing really not already covered in the above tweet has come through in the responses, I think those 3 really cover it. My 2c: