Troy Hunt is a security professional whose reputation not only precedes him, but it does so deservedly. He’s a world-renowned Pluralsight author, having written more than 40 top-rated web security training courses to date. His security community contributions have seen Microsoft recognize him as both a regional director and most valuable professional for developer security, despite not actually being an employee of the company. He won AusCERT’s Individual Excellence in Information Security award and the Grand Prix Prize for the Best Overall Security Blog at The European Security Blogger Awards – and I haven’t even mentioned the huge success of his data breach search service HaveIBeenPwned? yet.
In June, Troy added yet another feather to his security cap by becoming the latest inductee into the Infosecurity Europe Hall of Fame at Infosecurity Europe 2019. As part of the induction ceremony, he gave a fascinating lecture exploring the current data breach landscape, and offstage I simply couldn’t pass up the opportunity to sit down with him to learn his story.
Troy grew up in Victoria, southern Australia, with a passion for outdoor sports which existed quite some time before he developed an interest in technology.
“As a kid, I was far more interested in going outside and kicking a football, and I remember being really upset with my mates who wanted to stay in the classroom and play with the computers that were just making their way into schools at the time,” he says.
If he wasn’t outdoors playing sport, Troy’s mind was normally busy planning his dream future career as a pilot. “My Dad was a pilot, and I guess kids often want to do what their parents do. My Dad starting talking me out of it because the industry wasn’t what it once was.”
On the Move
Troy didn’t get his first taste of the computer bug until his early teens when he and his family moved from Australia to the Netherlands. He lived there for two years, and it was a dramatic change in climate that forced him to take up some more ‘sedate,’ indoor hobbies. “The weather was not so great there,” he laughs, “and I ended up spending a lot more time inside. I started, like many people, playing computer games, and part of that was inevitably trying to find cracks in games – pulling them apart and seeing what made them tick – there’d often be cracks and things floating around.”
Another family move then saw Troy call Singapore home for three years, where he completed his schooling and, immersed in a buzzing tech environment, was able to develop his computing skills and even earn his first bit of money.
“It helped me a lot living in Singapore, because this was during an era when there was a much bigger gap in technology between places like Singapore and Japan, and places like Australia. Back then, you’d walk into one of the technology shopping centers in Singapore and you’d see things you’d never seen before in Australia.”
So with access to more sophisticated and innovative technology, Troy was able to pick up some part time work at a satellite systems engineering company, doing things like computer rebuilds and tech support, and continuing to hone his tech skills.
When Troy was 18, his parents decided that Australia was the best place for the family to live long-term, and picked the sunny, beach-laden destination of the Gold Coast. There, Troy was able to get back into outdoor sports and physical activity, namely windsurfing and martial arts, and even dabbled in the idea of becoming a professional sportsperson for a time.
“I was good at windsurfing,” he says, “probably not good enough to be professional, and windsurfing is not like tennis or golf, where you’re going to make a heap of money at the top, but I was very into that. I was very into Kung Fu too – I just wanted to do something physical. I guess it harks back to those days when I was in primary school and I wanted to kick a football and my mates were all on those damn computers!
“It would have been an odd tangent,” Troy admits, “and your chances of actually making a good living out of professional sport are not very good.” Therefore, when it was time to make a realistic decision about what the right path might be for him, he opted to take the tech route.
Who Needs Uni?
“I started computer science at Griffith University in Brisbane, in 1995, and that was the first time that I ever saw the web,” Troy says. “I thought, ‘wow this web stuff is amazing – I want to build stuff for the web’ – but I couldn’t do any internet-related courses because they didn’t exist then.”
That was a real source of frustration for Troy who, at the same time, was doing some part time work locally helping people set up their PCs and connecting to the internet, along with trying his hand at building a few basic websites for companies. “Remember, 1995 was really early days for the internet, but I couldn’t do any internet courses and as I got more and more work I ended up going part time at University, and then dropping out altogether because there was all this demand to build websites.”
Not that Troy has ever viewed dropping out of university as a negative for him – far from it. “I mean, it’s not something I would necessary encourage others to do, but it seemed to work for people like Bill Gates and Steve Jobs, although unfortunately I haven’t quite achieved their success!
“In all seriousness though, university was the right thing to do at the time, and even today I think I would tell people that if you’re trying to find your path it’s a good thing to do. What’s different now compared to 20 years ago though is that, back then, there was a lot of pressure to get a degree and have the professional expertise, but I’ve never experienced a single moment when not having that has been an issue for me. Today, so much knowledge is obtained through other channels that are not traditional education. I’ve never regretted not finishing it.”
I don’t doubt Troy, and it’s certainly accurate to say that cutting his computer science degree short has never stopped him from achieving amazing things in the tech industry. Nonetheless, I wonder if there has ever been an, even small, inkling to go back and finish what he started?
“I actually did look into finishing it, many years ago!” he says. “I’d done about 75% of the credits I needed for the degree, and I thought to myself that it couldn’t be that hard to finish it. Well, I was told my credits had expired; so I said ‘well hang on, if I’d completed the degree, would it be expired now and I’d no longer have a degree in computer science?!’ Apparently it doesn’t work like that, but hey, I’m a bit anti-establishment anyway, so I thought ah screw you guys, I don’t need it.”
He did need a steady source of income after dropping out of university though, and so he spent two years working as a proprietor at Gold Coast-based Dynamic Programming Solutions. There he built various online systems used by a number of local organizations, predominantly in the travel and gambling industries, before taking a trip to London in 1999 to spend a year working for Proxicom.
As a senior developer, Troy worked extensively with classic ASP, Cold Fusion and interactive TV interfaces. He even built the original user interface for the Cahoot online bank. “That was really cool because that was really early days for online banking,” Troy says, “and Cahoot was a very non-traditional, funky bank.”
He soon then found himself back in Australia, with a stint at interactive TV company ICE Interactive, building client side interfaces before joining Pfizer, where he stayed for 14 years.
There, he operated within various developer and architect roles. “Eventually, I started hating my job,” he says honestly, “because I was effectively being a manager and not actually doing the stuff that was enjoyable: I wasn’t building code. I wasn’t getting to do it in my day job, but I was expecting other people to do it, and I was feeling disconnected.”
Ironically, it was Troy’s discontent with his job at Pfizer that inspired him to launch HaveIBeenPwned? (HIBP) in December 2013, before he was “very fortuitously” made redundant and so had more time on his hands to dedicate to developing his new project.
“As a kid, I was far more interested in going outside and kicking a football”
HaveIBeenPwned?
“I always say that my motives [for creating HIBP] were spilt 50/50. Part of it was that I wanted to make a data breach search service so that people could discover their exposure, but the other part of it was that I was missing coding. I wanted to write some code and make something that used a good volume of data and had some substance to it.”
So that’s how HIBP first came about, and Troy recalls several pivotal points over the years that saw the site gather real pace and attention. “When I look back at it, even a few weeks after it first went out, it started getting media attention, which surprised me greatly. Back then, it was basically just a little website with a small amount of data [in retrospect] that indexed things that were publically available on the internet anyway.”
However, it was the notorious Ashley Madison breach of 2015 that really amplified the profile and scale of HIBP, Troy explains. “That was in the public eye so much, and HIBP got a lot of attention because the Ashley Madison data went in it. Mind you – the Ashley Madison data wasn’t publically searchable; you had to prove that you controlled the address you were searching for because it was such a sensitive breach.”
Then came January this year when Troy published the Collection 1 credential stuffing list, including 773 million email addresses, and “that was a massive point of growth and social awareness,” he says.
When I ask Troy if HIBP is his proudest career achievement, his answer is a resounding yes. “I’m proud of the exposure it’s got, and I’m proud of the difference it has made to people. I speak to people who tell me they use the site in their organization to do everything from raising awareness about security to identifying risks to the company. That’s really fulfilling, particularly because, with something like this, you’re often sat at home in isolation, late at night, plugging away at things, and you never know if it’s going to be successful or not.”
Well, it’s been successful alright – so much so that, due to the site’s substantial growth, popularity and widespread use, Troy recently went public with his plans to enter an acquisition process which will allow HIBP to develop at the pace and scale that it now needs.
“It’s time for HIBP to grow up,” he says. “It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own.
“To be completely honest, it’s been an enormously stressful year dealing with it all. The extra attention HIBP started getting in January never returned to 2018 levels, it just kept growing and growing. I made various changes to adjust to the workload, perhaps one of the most publicly obvious being a massive decline in engagement over social media.”
So Troy has decided that now is the right time to find a new home for HIBP, and he is well underway with the process of finding the right acquirer who can, he believes, take the site to where it needs to be with more capabilities, wider reach, greater behavioral impact and, of course, more data.
Project Svalbard
“I’ve made this decision at a time when I have complete control of the process. I’m not under any duress (not beyond the high workload, that is) and I’ve got time to let the acquisition search play out organically and allow it to find the best possible match for the project.”
He’s even given the process a name: Project Svalbard. “One of the first tasks was to come up with a project name for the acquisition because apparently, that’s what you do with these things.”
He says there were many horribly kitschy options that leaned on overused infosec buzzwords, and then he had a thought: “What’s that massive repository of seeds up in the Arctic Circle? I’d seen references to it before and the idea of a huge vault stockpiling something valuable for the betterment of humanity started to really resonate.” It turns out the place is called Svalbard.
“I’m really happy with what HIBP has been able to do to date, but I’ve only scratched the surface of potential with it so far. HIBP may only be less than six years old, but it’s the culmination of a life’s work. I had a few false starts along the way, and it took a combination of data breaches, cloud and an independent career that allowed me the opportunity to make HIBP what it is today, but it’s finally what I’d always hoped I’d be able to do. Project Svalbard is the realization of that dream, and I’m enormously excited about the opportunities that will come as a result.”
It’s Good to Talk
Quite exactly how HIBP will look if/when it’s acquired will remain to be seen, although Troy fully intends to be a part of its future even post-acquisition: “HIBP’s brand is intrinsically tied to mine and at present, it needs me to go along with it.” Another thing he is also determined to continue to be is an active, public-facing member of the infosec community, which involves a LOT of public speaking engagements, addressing audiences all around the world.
Although Troy admits that, prior to 2011 and receiving his MVP award from Microsoft, he had not done a great deal of public speaking, so the last several years have been a bit of a learning curve in that regard. “I had done a lot of blogging and speaking internally in my roles at Pfizer, but after I got the MVP award, I thought to myself well you’re kind of meant to be doing public speaking.”
So Troy threw himself into the public speaking arena. “I think the first time that I felt as though I had really made it on the public speaking side of things was at the NDC Software Developers Conference in Norway in 2014. Then it was like ‘OK, now I’m on the world stage at a big, international event that’s highly-regarded. That talk went absolutely fantastically and I got 100% positive feedback from an overflowing room.”
I ask Troy if he enjoys having that exposure to a public audience. “I enjoy it a lot,” he says. “You get to reach a lot of people, and you get a lot of good vibes from people too. I’ll come off stage and there’ll be a whole bunch of people that want to take selfies and shake your hand and everything – that’s a really good feeling. There’s definitely some adrenaline from that.”
It’s not always easy though, Troy admits, and he often has to deal with substantial amounts of jetlag as he travels around the globe, simultaneously managing all of his speaking activities.
“The whole thing does feel like a very delicate balance at times,” he says. I bet it does, and knowing that Troy has not long been on a very long distance flight from Australia to London and is no doubt feeling the effects as we speak, I bring the interview to a close grateful for the opportunity to hear his story.
