
Loading summary
A
Hey, everyone. I'm super excited to be sitting down with Troy Hunt. He's a renowned security expert with a reputation for getting beyond the complex and technical and distilling all the noise down to what really matters to protect ourselves. He runs the website haveibeenpwned and was named a most valuable professional by Microsoft. If you don't know it, have I Been Pwned? Is a free resource that tells you if your data has been stolen based on your email address. What I want to know is what this age of AI, massive data breaches and shifting digital trust mean for online security. What's next, and what we need to do to be ready for this new world. Let's find out. Hey, Troy, so happy to be with you here today. Maybe to jump right into things. You know, what I really want to know is your perspective on the threat landscape online in 2025, 2026. What does it look like now and how is it different from what we've seen in years past?
B
I was almost going to answer before you said, how's it different? I was almost going to answer about how it's the same because one of the things we keep seeing a lot of lately, social engineering attacks, and I think everyone's like, okay, can we talk about AI and how's AI destroying everything? Because that's the expectation. But fascinatingly enough, a lot of the big attacks we're seeing now are still from kids, either legally kids or I guess by our standards, kids. You know, they're very young adults and they're still managing to socially engineer, support this and big cloud providers and get access to data. So I think it's fascinating that, that that bit stays the same and the thing that we're really expecting to come and revolutionize everything hasn't made a big dent yet.
A
Well, and it's, you know, that's really interesting because it's kind of, you know, what I'm taking from that is it's still so easy and we're so bad at protecting ourselves at a fundamental level. Like, is it fair to say we don't even need to think about worrying about these super advanced tools as individuals because we're still falling for the same basic traps.
B
I think a lot of it's just a recognition of these are really complex systems. I mean, as an example, think about how many times you go through and you even try to do something like my telco. I have been trying to update the credit card on my telco for weeks. I cannot figure out how to do it, you know, and I Think a lot about user interfaces and systems and things, or trying to set up passkeys for service. So many of these things are so complex with so many moving parts and we as the individuals and as the defenders need to get it right every single time. And the bad guys have just got to get it right. Once, you know, they find that one flaw, and particularly once they can develop a technique that they can just apply over and over and over again, they run rampage. And this is where we're seeing names like Scattered Spider is the one that's popular at the moment and we have seen a rest of this. And again they're either kids or very young adults and they just find this pattern, particularly in a certain industry sector and they just rip through it.
A
So tell me a bit about Scattered Spider.
B
Well, I think it's in a way it's a little bit like remember back in the day it was anonymous, right? So probably 15 years ago it was anonymous and everyone was anonymous and we are legion and we never forgive and forget and all the rest of it. So it seems to be a little bit of a collective term. There are inevitably people who are more the ringleaders of this group. But what they seem to have become very good at is finding, I guess, repeatable flaws in things. Like, you know, we see alerts from the likes of the FBI or Australian Federal Police which will say be on the lookout for social engineering attacks, social engineering attacks from this group or members of this group that target things like support systems. And that's not necessarily finding a technical vulnerability or some novel advanced hack. It is simply finding vulnerabilities in the process and the humans behind the process.
A
So groups like this and the kids you're speaking about, are they more going after organizations and kind of professional business systems or do we need to be worried about them as individuals as well, Compromising our bank information or any of our personal accounts.
B
It's a good question and I think part of it speaks to motivation. So what are they out there for? Traditionally we've said, look, there are the hacktivists who are out there just because either there's a cause or they pretend there's a cause, but they want the notoriety and the, I guess, the satisfaction. There are the career criminals, those who are after the money and they're looking for something that has return on investment. And then there's the nation states, which is a self explanatory whole other area. And I think when we look at this criminal element and we say where is the value? Ransomware, we still obviously See a lot of compromises of large organizations that then lead to ransom, albeit not the traditional. We've encrypted your files, give us money, we'll give you the key back. It's more the threat of disclosure and many of these cases, but of course there's still targets against individuals. We know even here in Australia where we've only got less than 30 million people, we're doing about $3 billion a year worth of ransomware, or rather financial fraud against individuals. So I think ultimately everyone's a target. And if you look at it as a business, you know, if you're a young, budding, enterprising cyber criminal, where is the highest and best use of your time to get the best return on your effort?
A
Well, so let's maybe start by answering that question so that we can understand that landscape best. And I'm still fascinated that the first group you came up with was the kids, right? It wasn't the nation states, it wasn't these kind of bigger players. It's the fact that everyone down to kids can be potentially threat actors that we have to deal with. So if you're call it a bedroom threat actor or this long tail of, you know, just kind of your garden variety cyber criminal here, where is your best bet that you would want to go after in terms of making some money off of this?
B
I think there's maybe a two part answer. One is where is the money? But also how accessible is the money? I mean, the money is with the banks. They are extraordinarily well resourced and well secured and you effectively have to pretty much fit into that nation state, North Korea kind of category before you manage and get serious money from banks. Crypto wallets are definitely a big thing. I see huge volumes of attacks against crypto wallets. I'm the recipient myself. Geez, only very recently I just get getting spam after spam after spam, looking to get into a crypto wallet from a particular provider of which I don't have a service at all. But hey man, it's like email's cheap to send. So I'm just getting the shotgun approach. And evidently they will get some tiny fraction of 1% of people to hand over their crypto wallet key and know and then the rest is history. The extortion to organizations, of course, that they look at big organizations and go, well, if you're a multi million, multi billion dollar company, you've got a lot of money. Asking for a million bucks might not be a lot of money to them. And I'm sure that there are many, many incidents that never hit the news that do actually pay out as well.
A
Yeah. And that's my sense as well. Having worked with a number of organizations who, you know, find themselves vulnerable to ransomware, it feels like it's a lot more prevalent than you may think, just based on the fact that people don't necessarily want to announce it. And, you know, what we've seen and what some of our own experts in house are saying is often you're better off just paying the ransom and moving on, even if that's not what you want to announce that you're doing, because the harm that these organizations can cause is pretty severe. Do you work with organizations who have been hit by ransomware, and what advice do you typically give them?
B
Well, I mean, I don't provide service in that area. I mean, normally I work with organizations that have had data breaches. I think that the rationale of paying the ransom, it's a tricky one because there's a business continuity argument to be made. If I pay the ransom, will I get my business back online and will I stop bleeding money? And I think that was an argument that could be made a lot more in the earlier days where ransomware was loss of availability. Data would be encrypted, pay for the key. You usually got the key because, hey, it'd be bad business, you know, not to give the key. We need to make sure people know you pay, you get your files back. Now that that has pivoted to disclosure as well, and the leaking of files on ransomware sites, I think that's a harder argument to make because you never got any guarantee. Then of course, you know, then it's like, we'll pay the money, and if data is encrypted, we'll give you the key and we'll delete the data. Promise. Trust the cyber criminal to delete the data. So I think that's problematic. We just passed legislation in Australia which mandates the disclosure of organizational ransomware payments. So at least we can start to quantify the problem because, yeah, to your point earlier, there's probably a lot that goes unreported. We know there's a lot that goes unreported. So if we can't quantify the problem, it's very hard to work out proper measures and controls for it.
A
Right. So on the data breach side, I thought I read somewhere, and keep me honest, Troy, I thought I read somewhere that after the Ashley Madison data breach that you were kind of called in for some advice on how to deal with that, Is that true? Did I make that up?
B
Certainly not to Avid Life Media. I think they probably paid huge amounts of money for lots of advice. None of it to me, unfortunately. But look what it did, is it, it really highlighted the risk to many organizations. I mean, if you think about, let's say non technical, non security pros that are sitting on board, C Suite executives, everybody saw the news about Ashley Madison. This wasn't some sort of industry news thing. Everybody was seeing it on mainstream tv, on radios, and that was a discussion around all these boardroom tables. How do we make sure that we're not the next Ashley Madison? And certainly I did speak to many organizations that raised that question because suddenly they're getting not just pressure from their board, but interest. It's very hard to get money for cybersecurity, particularly from the likes of board members who may not understand it. But when they see that headline and they're like, how do we not be the next Avid Life Media and have our 30 plus million records over the Internet? Yeah, that got traction.
A
So, you know, data breaches, you've talked about how they've evolved over the years and you know, the approaches that criminals have taken and their trustworthiness has changed. How should companies be thinking about them right now? You know, you certainly hear about this notion that you can't necessarily protect yourselves from a data breach forever. You know, first of all, do you buy that? Should we be thinking more about response or more about, you know, protection or both?
B
I think we've got to recognize that there are no absolutes. You know, you're never going to be protected and that's it. And now you're fine. You know, what you're doing is you're mitigating against certain risks and you're mitigating at the likelihood of it happening. You're mitigating against the impact of it happening. And a good example of that is investing in penetration tests to make sure there's no obvious flaws. Is a great one for likelihood. A great one for impact is simply not retaining data you don't need. We've had so many data breaches both here in Australia and around the world where there's been huge volumes of data that are from customers that haven't been there for decades. My parents came around recently and they gave me a letter that was put in their mailbox from an organization that had had a data breach and it was addressed to me. Now I haven't lived there since the 90s. It was a financial services company called Latitude. It was A big news story here in Australia and for some reason I can't remember what it was. Maybe I had a car loan when I was like 20 years old or something, but they still had mondata. So as it relates to things like impact, how do we reduce the amount of data we have in the first place? And going back to the point about convincing board members and getting money that the problem that people in these security positions have is they need to go and ask for money and say, look, if you give me this money and we do a really good job, nothing will happen. Well, hang on, how much more money do we make? Well, none, but hopefully you won't lose money. So it's a very difficult position to make.
A
So how do you make that position? Because I agree with you, having that conversation with the board is a lot of this all comes down to money and getting the mandate to do that. How do you typically work with organizations to convince boards that this is worth it, even if that means that nothing happens is the best case scenario?
B
Yeah, well, very often, I guess the bit that I get involved in, I don't really do any consulting anymore, but I do a lot of public speaking. And then people say, look, we want to get you to come along, talk about data, which is scare everyone just a little bit, like tell some good stories that make people go, I don't want to be the next whatever organization. And unfortunately, what tends to happen is we seem to wait for some major incident. Ashley Madison was one of them. In Australia, we had our second largest telco and our largest health insurer, both have major data breaches at the end of 2022. And suddenly everyone was interested and the government passed legislation about various things and organizations went out and spent more money. I got invited to do a bunch of talks to companies that I wouldn't have done other. And that seems to be the catalyst. And when you think back to Ashley Madison In 2015, one of the things that happened after that were people were saying, well, are we now going to take it seriously? Is this the watershed moment? Are we going to get on top of this? We can't let this happen again. And a decade plus on here we are and it happens every day.
A
Yeah, well, and it's really interesting because that, I mean that in our culture was such, in some ways a watershed moment in terms of the impact that it had on people. Right. You know, there were suicides that came from it and it's people's, you know, most sensitive and, you know, naughtiest information and, you know, so it's interesting to me because, like, if that's not going to convince people, you know, what. What is? And one of the, one of the things I've found as just, you know, an individual is that I almost am saturated by these stories of data breaches in the news. Like, there's so many of them, I'm like, oh, yeah, another one, Maybe I'm impacted, maybe I'm not. And like, a sense of almost resignation that comes from helplessness. Is that something you're hearing about? And what do we do about that as individuals and as organizations?
B
Well, there's definitely a degree of apathy. And I almost wonder if it's a little bit like you go on the news and you see there's been some horrible car crash somewhere and you're like, I'm going to drive safe now, you know, and then that solves the problem. I think it's a combination of apathy, it won't happen to me. The probably, the look, if it's a car crash, we can all imagine what it would be like and the ramifications of that. If it's something like a data breach. I think a lot of people have trouble thinking through what that might actually mean, not just to your online life, but to your IRL life. You know, that might mean someone has enough information, start going and opening bank accounts. That might impact your credit, that might impact your ability to buy a house in the future, you know, like real world impacts. And I don't think people necessarily think through that. And it's still something. It happens a lot, but to a tiny fraction of people as well. So there's folks sitting there going, well, you know, I'll be fine. Let me just download this free wallpaper tool, you know, while I'm here and install that on my PC.
A
Yeah, so when you're telling these stories, you know, on sort of your speaking tours, to create that, you know, that little bit of fear, whether it's in individuals or organizations, what are the stories you're finding that are actually resonating with people and making them say, oh, okay, maybe we should be taking this a little more seriously.
B
It's a combination of things. Look, certainly the ones that people have seen in the news, seen the impact. I like to tell stories that sort of show, look, this is, this is the sorts of data that came out and the consequences thereafter. I like also finding lots of. And this pivots the discussion slightly, but lots of amusing examples. There are some very funny data breaches out there. And I realize that sounds bad as I say it, but there's some very funny services and some funny stories behind them. If I can get people sort of leaning forward and engaged and going, wow, this is a really interesting story. You know, I think that hits home as well.
A
So what's an example of a funny data breach or one that engages people and that they might not otherwise have processed?
B
Yeah, I think the one that comes up the most that people sort of shake their head at. And you'll have to figure out whether you need to bleep any of this or not. But there is an online service called Shit Express, and this is a real website. And you can go there and to put it in the more, perhaps the more appropriate term, you can order a box of feces online to be delivered to a recipient. Now, you want to do that anonymously for obvious reasons. Sure. So they talk about all of this anonymity on the site. Now, this is. I had seen this in the news before. It's actually a real website. It's still up there. Anonymity, obvious reasons. But then they have a data breach. And when they have a data breach, all of the information inside this service gets leaked. And as I do the talk on this, I guess, isn't it funny? And that's all this anonymity. See the bit we have to pay by credit card on stripe and leave all your personal details, like, how anonymous do you think this is? Anyway, so it gets leaked. And there's a little snippet I use in there where one person has gone, as I refer to it in the talk, a shitposting rampage. But they've gone through and sent multiple boxes to a bunch of these names. And there's about six or seven different names on there. And they're very upset about things to do with legislation in America. And I, as an Australian who watches the news, didn't recognize the names, except for one. And this is the names of the recipients, incidentally. The IP address of the sender is on every single record. And the one name I recognized was Brett Kavanaugh because he'd been in the news. And then I started Googling the other one. Ah, they're all High Court judges. Someone has gone and sent boxes of feces to High Court judges with the expectation of anonymity. There's been a data breach. Now here it all is.
A
Right? Right. Suddenly we know who's sending the shit to the Supreme Court.
B
Add this to the list of things I didn't expect to learn today.
A
Yeah, no, that was not on my bingo card, Troy. So thank you for that. When we think about how people traditionally respond to these data breaches, when we think about how they traditionally think of them, is there any information out there that to you is either misinformation or unhelpful? It's traditional thinking that people talk about, but you kind of say timeout. That's not the way I would approach this.
B
I think what I'd suggest is we need a bit of a reframing about what classes of data represent risk versus what classes don't and risk to whom. Now, a good example of this is I see so many data breaches where there'll be a disclosure from the organization and they'll go, they always start by saying, at such and such a company, we take your security seriously. And I'm like, oh, this isn't going to be good. As soon as it starts that way, it's going to be bad. And they'll say, you know, we had a cyber incident by a malicious threat actor at a third party, so just like watering the whole thing down. And then they'll say, your email address, your name, your password, your home address, your phone number have all been exposed. The good news, your credit card is fine. And I'm like, well, hang on a sec. I have had my credit card defrauded many times, and I'm careful, but I'm also human and I'm online and I go to restaurants and strange places sometimes. In my experience, every time the credit card has been defrauded, American Express, for example, picks it up pretty quickly. I get a call, they're like, look, we've found these transactions. Were they, you know, they weren't me, okay, we'll cancel them. We're going to cancel the card. I get a new one in the mail a few days later, I'm fine. Now, on the other hand, someone's password gets exposed. That is their password, singular. That's the one they use everywhere. So this organization has just said, look, that the thing that actually really has no tangible impact on you, debit cards, different story. But for the most part, credit cards, that's okay. But the thing that is now the key to all of your other digital online lives has been leaked. Good luck. Go for it. I think reframing the impact of data like that's important.
A
So what's your best advice around password hygiene then? Because you hear all sorts of conflicting things about make it incredibly long or use special characters or there's. There's refresh rates. There's a number of different pieces of advice. What do you typically Tell people around password hygiene.
B
Well, I think first of all, maybe to add some positivity to the whole thing, the bar is set very low in terms of where do I need to get to be more secure than 90% of other people out there? And that bar is having strong and unique passwords and preferably a second factor of authentication as well. Not foolproof, but it's a really good start. Now, the strong and unique bit. Unique is an easy one. Don't make it the same as any of the others. Now, part of the reason for this is that there are so many credential stuffing lists out there where a service has been compromised. Someone goes and gets all the email addresses and passwords and they add them to all the other ones from all the other services. And now suddenly they've got a list where at times we're talking about billions of credential pairs, you know, billions of instances of email address or password, and then they just go and try them on vulnerable services. Now that's exploiting password reuse. If you have an extra one on the number of your password, you're immune from that particular type of attack. There's still not a good password. But you get my point. The strength is the challenge. Because we all have so many different online accounts these days. You have a hundred plus. Either that or you're very, very young. If you've been online during COVID buying stuff, you will have 100 different accounts. Some or other you can't remember those. You simply cannot in your brain remember every one of those. So one of the things we've really got to get past is this idea that a password is something that you remember and you type in. Which leads us to password managers. And I've been a massive advocate of password managers for a very, very long time now because they're the only way you can get strength and uniqueness. And then the discussion changes from how do I make those 100 different accounts secure? To how do I make my password manager secure? And for a tool that's a dedicated security tool meant to do that one thing and do it very, very well, that's a much easier challenge than securing all the other things does that.
A
You know, I've heard that advice too. And you know, full disclosure, and I hope I'm not tipping off any would be hackers here. I don't typically use a password manager. And my concern is it feels like it's just the classic problem of. Now I have one point of vulnerability because, you know, everything is in the bank's singular Vault now. And if you can get the password to the password manager, suddenly you know, everything's exposed. Does that, does that hold any water to you or no?
B
Oh yeah, of course. And this is often the question, they're like, well, what happens if someone gets into my password manager? So it's easy, you're screwed, you know, because everything is in there. And keep in mind as well, a lot of password managers are not just password managers. I use 1Password, the service called 1Password. And I have my bank account details in there, I have all the frequent flyer details, my license, my passport, the family shares stuff backwards and forwards. So the impact of full compromise is really, really high. The question then is what is the likelihood of that happening and most importantly, how does that then compare to the likelihood of compromise if you don't have the password? For most people not having a password manager, they're going to reuse that same password everywhere. Very, very high likelihood of compromise. Not just because there's a breach somewhere and it gets reused somewhere else. But you might fall for a phishing attack. For example, you might enter it into a website that's got a keylogger on it. We've seen lots of mage cart style attacks where cards entered into a website are scraped because they've got an external dependency. It's got JavaScript listened to everything that's put on the page. So once you have a password manager and you lock it down with everything From in the 1Password example, there is a secret key that I have no idea what it is, it's printed, it's in a safe somewhere. There is multi factor authentication. You must be signed in on another device that can then give this device access and so on and so forth. And then so long as I don't lose the things that I need to get back into my password manager, I'm fine. So I think that likelihood is a really, really important part of the discussion.
A
Yeah, that makes sense to me. And if it's, you know, an order of magnitude more secure than the individual passwords, then yeah, that, that changes the equation. What's your perspective on non password access management? Like things like biometrics in some capacity or any kind of alternative access there?
B
Well, I think we gotta look at it as an augmentation of passwords. I mean I've got a modern iPhone, so I've got face ID and most of the time when I authenticate to my phone, I log on with my face and then people go, well that's great, so now you don't have a password so, no, you do, because some of the sunglasses I have don't work. They gotta keep the sun out. But then I can't. Literally now when I go and buy sunglasses in Australia, I go through the shop and I'm like, okay, do they look good? Can I unlock my phone while I'm wearing them? Yeah. Obviously, there are parts of the world where you might have a scarf on because it's cold. And also, what happens when you forcibly reboot your phone? What happens if the biometrics fail 10 times in a row or however many it is before the lockout? Well, then you need the pin. So you fall back to the pin. The biometrics has got the great advantage of being something that you can use to authenticate in front of people, and it can't be copied. No one is practically copying my face and logging into my iPhone. I can do that in front of people. I enter the pin, someone observes the pin, and now they can enter it. So I think the thing to think about is these two things augment each other, and they complement each other. And that, to me, is a major part of the whole infosec discussion. How do we find the right tool for the right circumstance and recognize that there is no one thing that just solves all the problems?
A
So let's continue down that thread for a minute. What does that exercise typically look like for an organization or a leader trying to go down that road?
B
I think the classic term would be some form of threat modeling. Going through and looking at, like, what are our risks? What are the likelihood? What's the impact when they happen? There are some very boring protocols that you can follow to figure this stuff out. But in simple terms, most of it comes down to what is the impact of someone gaining access to our things? What is the likelihood of it happening? What are our mitigating controls to reduce either the likelihood or the impact if it happens afterwards? So.
A
As I think about that, there's a couple of angles to this, because we were talking earlier about the impact of the board and getting money for all of this. When you think about the barriers to why more people aren't doing this now, Troy, is it a financial barrier primarily, or is it literally just an effort barrier? And there's something, you know, I use the expression for some of this stuff. It's just like, eat your vegetables, work. Like, it's just, oh, it's not very exciting. You gotta make time for it. Everybody's busy. You know, do you need millions of dollars to do a lot of these kind of protective activities? Or is it just literally work cybersecurity professionals acknowledging that it's important and carving out time?
B
I think it's sort of interesting, whether we're talking about individuals or corporates, to look at how much stuff there is that you're not doing that is totally free. You know, how long did it take a lot of people to even put a pin on their phone? It was a struggle. And I remember a lot of initiatives by the likes of Apple to try and push people down the route of just having a pin on their phone. Or now that discussion is how do we make sure there's actually a second factor on things like an icloud account so other people can't just get in? These are free. If you've already invested in the device, you already have that. For organizations, there's a lot of cool free security controls out there. There are things like content security policies for websites. These are built into browsers. They're great defenses for if someone manages to inject JavaScript, for example, into your website. For the sorts of attacks we discussed before, external dependency gets compromised, keylogger and so on. We have free tools for things like checking known bad passwords. I want to biggest cost for organizations is account takeovers. A lot of the time people are signing up with passwords from data breaches. We have a free service where you can go, hey, has this password been seen in a data breach before also? How many times has been seen? Well, this person is using one that's got lots of uppercases and lowercases and numbers and it's really long, but it's been seen 5,000 times before. Yeah, maybe we'll block that. And that's free. And then you start spending the money after that.
A
Yeah. So on that note, tell me a little bit about have I been pwned? And how that tool works, where it fits in the mix and how it came about.
B
Yeah, well, it's kind of wild that we're still here talking about it nearly 12 years on. So it started in December 2013, and I started it after finding myself in the Adobe data breach. The 150 million plus people there. My personal address was in there, my work email address was in there. And I thought, well, that's, that's interesting. That was there twice. It's also interesting because as far as I know, I didn't give Adobe my data, but I was a Macromedia Dreamweaver user, so I gave Macromedia my data and then Adobe acquired them and they. And that data flowed. And, and to this day, I Get a lot of questions from people who are like, why is my data in a. You know, you just sent me a notification, have I been paying? Why am I in this data breach for a site I've never signed up to? It's like, well, there's always a reason, right? Like, the truth is in the data. Your email address is in there. You know, let's go through the options. And one of those is acquisition annual information flowing to different places. So I thought that was interesting enough to build a service. And it was a hobby project. And many technical people listening to this have hobby projects that just scratch an itch and most of mine go nowhere and fail. And this one stuck and became very popular. And I think partly because it's simple, partly because it's freely accessible to everyone. And then when there were the likes of the Ashley Madison data breaches out there and there was a service where people could go and see their impact, it just got a lot of traction.
A
Yeah, it's super cool. How does it work? I mean, without giving me the exact lines of code, just kind of abstractly, how does it work?
B
Look, in very simple terms, a data breach comes in and a data breach is normally just a text file. There may be a few text files, could be CSV or a SQL file is usually a human readable text file. There are, however, many millions of lines of data records in there. We have an open source tool that just goes through and regexes out all the email addresses. So it'll be like, okay, there's a 5 gigabyte file, there are 2 million email addresses in there. Puts them in a file, and then we upload those email addresses into the service. So the only thing that we actually put in the online service is the email addresses. And if we have plain text passwords, we have a separate disassociated corpus that's just passwords that organizations can use to try and help people, not use bad ones. So the email addresses go up there. We've got about 5.6 million individual subscribers to the free service where if we find any of them in a data breach, we fire them off an email. We've got hundreds of thousands of organizations that monitor their domains. They get sent an email if they're in one of these new breaches. And then there's the front page of the website where you just put your email address in, goes to the database. The database is like, okay, in my case, for example, I'm in more than 30 data breaches and have I been paying? Here's what they all are. And it's like Dropbox and LinkedIn, not Ashley Madison and a few others like that. And that's all it does. It just comes back and it's like, here's where you've been exposed. It's really very simple, people. So it's.
A
Yeah, and what's interesting to me is you mentioned it's such a simple tool and we're still talking about it, you know, 12, 13 years later. What's the future of data breaches like? As you look at the tools available, as you look at people, is this going away? Is it getting better? Is it getting worse? You know, it's hard. It's hard for me to believe this is going to, you know, disappear. But are we still going to be talking about this and using tools like this another 12 or 13 years from now?
B
I can't see any reason why we won't. You know, if you look at the factors that lead to data breaches and contribute to the impact of them, we have more online systems than ever before. We've got more people who are online than ever before. We've got more ease of access to online services. You know, I think as much as I love cloud services and now the ability for AI to create apps as well, it does mean that a whole bunch of people who wouldn't have used these things before and perhaps shouldn't now have access to them. And many of the data breaches we see from people just simply not understanding how to use these cloud services, lack of authentication on databases is a massive one. It's crazy how frequently that happens. So I don't see any of that changing. And then we expect all of this interoperability between services and then lots of things that we might have built in house before and kept as part of, of our, our own code base and now delegate it out to external services. Now, to be fair, like, I love this idea because now I can. I do my payments on stripe. I don't have to build that. That's fantastic. But then very often these external services are misconfigured or the API key for it is leaked. And we see so many data breaches where the organization's like, we had a data breach at an external service, and then maybe it was because the external service got social engineered. And I guess your attack surface, for want of a better term, for each one of these multiplying applications is just so much larger than what it was before. So I can't see any reason why, if we do this in 12 or 13 years from now we're not saying, hey, you know, now there's 2,000 data breaches in. Have I been pwn?
A
Yeah, and that's. And that's exactly my concern is it feels like it's getting worse. As you said, the attack surface is getting bigger. We've been hearing a lot about the, you know, basically the vendor risk or the third party risk of, you know, when you're trying to conduct these threat assessment exercises, what's going on within your organization is suddenly a smaller piece of the puzzle. What do we, you know, what do we as security leaders do about that other than, you know, flag it? Do you give advice at all in terms of any of the partners we should be using? What we should be asking those partners, is there a way to protect ourselves there, or is it more just sort of accepting the risk?
B
Well, again, it's all sorts of degrees. And if we tie it back to the IRL examples, which for the most part I don't like, but sometimes it helps contextualize. You know, if you're securing the physical security of your house, how do you make it secure? Well, you know, even just saying that term, that sounds like an absolute. So, you know, how do I get to the point? Super secure. Well, you still got windows. Yep, I got a brick. All right, so do we put bars on the windows? Like, how far do we go? And inevitably the discussion becomes one, which is what is a reasonable commensurate level based on the risk and the likelihood and then the impact of someone gets in. And I think having that pragmatic discussion is very important, where it's very hard. And the bit I'm especially sympathetic to is, as mentioned before, like, the attack surface is now so big. So when you're looking at the security, particularly of your organization, you know, even one app is hard enough. But look at an organizational risk. How many different applications do we have? What are the external services that they use? What are our risks there? How do we even do things like keep our dependencies up to date? You know, we continually find vulnerabilities in external libraries. How are we managing those across the ecosystem of our applications? And that is an extraordinarily hard problem. And there are lots of infosec companies out there now making a lot of money just helping people understand even the inventory of services that they have. Yeah, Asset discovery is a big thing.
A
Yeah. And one that it feels like is getting more complex and more complex. Right. As you add services faster, then you're taking them away. Right.
B
Yeah. And to be fair, like, people are Doing it for good reasons, because they're finding more cost effective ways of doing this. They're finding better services that some company that just specializes in that thing has done rather than their internal development team. Like, there are loads and loads of good reasons and we would not have the web and all the richness that we have today if it wasn't for that.
A
Right. And you know, one of the, one of the paradigms I'm hearing more about in this space is this notion of zero trust, which is basically that, you know, operating these sort of corporate systems, assuming there's already been a breach, you know, a data breach, that we're locking down individual components as much as possible. Are you hearing much about this? Are you, are you sort of an advocate of this? Or do you have a different approach?
B
I think the principle is good. Nothing should trust anything else. Everything should, I guess, set its own security boundaries. I think that the principle is good. It's certainly a catchy word. I see that up there a lot, along with blockchain and AI. Remember a few years ago, everything. I was like, there's blockchain on everything. I think the actual implementation of it then becomes quite difficult as well, particularly when we are talking about ecosystems these days that have dependencies on so many external services and so many external libraries. So where is the boundary of that zero trust? You know, once you start pulling in external dependencies, where does that trust stop?
A
Yeah, it's a really good point. Yeah, I guess it's sort of. It falls apart as soon as you have to draw the circle around everything connected to your organization.
B
And you know, look, that's not to say give up, but it just means that I don't think it's something that you're going to achieve in some sort of absolute sense, and you're just going to have to prioritize where that makes sense to implement. Implement.
A
Right. And so speaking of vendors and different tech players in the space, I did want to ask you and understand a bit better, Troy. I know that you're in the Microsoft sphere and you've been named by them a Most Valuable professional. And it sounds like you're not working for Microsoft, but you're working with them in some capacity. What does that mean? And how did that kind of come about?
B
Yeah, so the Most Valuable Professional award I got in 2011, and I've had that each year since, that, that's, that's an award. The one that's really confusing is I'm also a Microsoft Regional Director, but I don't have a region and I don't direct anything. And that's, that's another recognition. Look, the MVP is aligned to a technology stack. There are Microsoft Excel MVPs and Xbox MVPs. I got it. For developer security. There are thousands of MVPs around the world, and the regional directors, there's a much smaller number. We're not aligned to an individual technology stack. We generally tend to have, I guess, a broader overview and probably better access to the sorts of organizations Microsoft would like to have good relationships with. So I work a lot on the Microsoft tech stack. All of the underlying origin services have ever been pwned is built on Microsoft technologies and on Azure. I spend a lot of time with folks at Microsoft, especially when I travel. We get along well, they give me some software and that's about it.
A
That's great. And what role, as you think of this whole ecosystem, I mean, what role does Microsoft play versus some of the other bigger players in the space, I guess.
B
Well, I think it depends on where you look at in terms of size. I mean, Microsoft has obviously got a massive footprint on the desktop, so that's huge. They're not the biggest cloud provider, but the services in Azure are huge as well. I think like every other player at the moment, they're trying to figure out where AI fits into absolutely everything, because that seems to be the strategy these days. But I think that they're just an enormously important and complementary with the likes of Google, Apple, aws, et cetera, part of the ecosystem. They're big. Everyone uses them in one way or another.
A
Yeah, yeah. So I want to come back to something now. You've said a couple of times, which is AI, and the few times that you've brought it up, you've basically implied or said directly that it's actually overblown in this space and it's not the primary thing that people should be talking about or considering when they think about cybersecurity risk. Am I misconstruing that or is that fair? And tell me a little bit about where that position is coming from.
B
I think it's fair. The look, I sort of have a foot in each camp at the moment where one is. I'm so sick of seeing these hyperbolic headlines and I'm so sick of seeing people go, you can just, you don't need skills anymore. You just code your own app and it will be fine. It annoys the hell out of me. But then, on the other hand, I am so much enjoying using AI for discrete tasks such as writing particular blocks of code. You know, like, I want to go through and say, hey, give me all the customers in Stripe who have outstanding invoices. I could figure that out before, but I can literally put that question in as fast as I just phrased it, and bam, there's my code. And it's amazing for that. I love it. I'm starting to use AI in a lot of my home automation to do things like look at photos from cameras and tell me things like, you haven't put the rubbish bin out and it's a Monday night. You know, you need to do that. That's a hard problem without someone that can interpret photos or announce who is at the door or what the person at the door looks like. And they're little applications. But I think what's fascinating is it seems like everything we do is having AI creep in one way or another. And our challenge is to figure out where are the places where it actually helps us do our jobs better, and where are the places where you're like, no, that's in the hyperbole, overblown column. And that's a challenging problem at the moment.
A
Yeah, I've found that as well. Right. There's almost like, you know, I've been calling it AI washing. Right. Just slapping AI on everything and, you know, hoping that somebody, you know, somewhere appreciates that or pays more for it. There's an angle we didn't talk about for AI that I'm curious on, your perspective of, which is implicitly in the conversation. There's, you know, sort of us as the, quote, good guys using AI. What about AI for bad actors? You know, you talked about AI code gen and it having, you know, some. Some, you know, good limited applications. Do you see it as lowering the bar or the barrier to entry for bad actors or cybercriminals getting into the game? And is that something we need to be worried about or protecting ourselves against?
B
Yeah. Yes to all those things. I think the way to think about it is, is very much like the encryption debate that we've had for many years. You know, both encryption and AI are morally neutral technologies. They have been democratized to the extent that everybody has access to them. So whether you're building a payment card system and you're protecting people's credit cards, or whether you're collaborating with your terrorist network, you get encryption and everybody gets it equally, and everybody can figure out how to apply it. And it is the same with AI. We will inevitably see more uses of it in offense. The ability even just to craft messages. I mean, how many times have you got a spam message and go, that really needs AI? You know, you should get your spelling and grammar spot on and it would be such a more convincing spam message. Equally, the ability for AI to infer things like deviations from the norm, you know, we have the ability to say, well hang on a second, my bank doesn't normally communicate that way. And that character which is, and this is probably not even an AI thing, but you know that that character which should be, it should be an L. Looks like it might be capital I or. But I think particularly that the higher level thinking these are normal behaviors, there's deviations from normal behaviors. Or this has the hallmarks of just ways that go beyond what we could do as simple if then else style statements of trying to identify the nasties before.
A
Right. So you know, it can help with the, you know, the attacking and the defending and you know, probably not 100% on either, but it just gives us more tools in our toolkits for just, you know, sending a few more or catching a few more.
B
Yeah, exactly. And to be honest, the thing that I think is very exciting about it is it's changing so quickly that if we have this discussion in another few months, I'm sure we'll go, hey, look, there's now that other new thing which might be a good thing and it might be a bad thing, but that's going to be different from today. And look, I find that exciting. I know for a lot of people, they're very worried about it and look, well then what's the impact on my job and everything else? But I think if you look at it from the perspective of this is allowing us to do so much new stuff we couldn't do before and it is creating so many other jobs or so many other ways of working efficiently. I think that's really exciting.
A
Yeah, no, I think you're absolutely right. It's crazy how fast it's changing. And yeah, I mean that's one of the things that makes it so tricky is trying to keep up with this, this incredibly fast moving technology. Troy, speaking of these technologies and speaking of just your posture about data breaches and the organizations you talk to, it really feels from this conversation like there's no end to data breaches either for organizations, there's no end to data breaches for individuals. You mentioned you're a damn professional in this space and you said you've been caught up in 30 plus of these things and had, you know, credentials compromised. What is, where should we get to like, is it just about being a little bit better? Like, what's, what's your posture and what's your message for people who maybe have that sense of apathy or resignation, like, where do we want to get them to? What's kind of the goal of all of this?
B
I think it's like a question of equilibrium. So where is the right balance? You know, if we take it back to another IRL example and you were to say to people, what's an acceptable road toll? And they'll go, well, none. I don't want anyone to die. It's all right, you can't drive anymore. I'd like to drive. It's a long way to walk. All right, well, now you're going to be driving around in a 2 ton machine at 100 kilometers an hour. You're going to take on a risk that you wouldn't have had otherwise. But we accept that that risk is part of our life and the ability to live the way that we do. And I think maybe, maybe the resignation that we all need to have is that it is very likely that we will be caught up in a data breach. With that in mind, what are the things we can do to stay safe? Again, I think even that's a bad term. Let me rephrase that. What are the things that we can do to minimize the impact when it happens? Strong and unique passwords, multi factor authentication, all the stuff that we've spoken about before.
A
Yeah, I like that approach. And for me there's even like a sense of relief in framing it that way. Right. Because I think if you position it as like, as you said, like, stay safe or like, I don't know, the analogy that came to mind. And, you know, we're, you know, a little bit off base in all this conversation. Anyway, we've already talked about sending people shit, but it's like, it almost feels like it's like abstinence, like abstinence education, you know, and it's like, okay, well, you know, if you just tell people abstinence is the answer, you know, they say, oh, yeah. And maybe people get mad at me for saying this, but, you know, a lot of people say, you know, yeah, right, you know, that's not the answer. And they ignore you. But being able to say, okay, how do we, you know, how do we approach this more safely? Does that apply to cybersecurity?
B
Yeah, it's, it's not about not doing the activity at all because there are real world impacts on whether it be abstaining or not. Driving a car and not signing up to online services. The question, I guess if you relate it to things like sex education as well, is the education component. It's like, look, these are the risks. These are things you have to be aware of. These are the things you can do to reduce the likelihood of that risk from happening. And that is just a reasonable discussion that I think just needs to be part of education in general. Whether it's like part of the, you know, what kids learn at school or what part of all of us as adults need to take on board.
A
Yeah, no, I, it makes complete sense. I love the road example too. I love the posture of just how we can educate ourselves, how we can make smarter decisions, and how we can approach this more thoughtfully. Troy, I did want to ask you though, you've been a consultant and an expert in the space for a long time. You've worked with a lot of organizations, helping them. As you think about cybersecurity, you mentioned the sending people shit story. But when you think about your own career, do you have sort of like a craziest story when it either with you or with, you know, a client organization that you can share when it comes to a data breach or anything security related that you, you know, kind of found yourself in the middle of.
B
Trying to figure out the ones I can talk about and I'll get sued. It's actually kind of crazy that I haven't been sued. I've honestly not had any legal problems of any great extent. But I, I think the things where it has the ability to get the craziest. I'll talk generally about one which I can't name. But yeah, it turns out a lot of organizations don't like being told that they've had a data breach. And it's just wild how hard it is for me to disclose incidents to many organizations. But I had one which was a very online service in a part of the world which is not where you or I are from, put it that way, probably different set of priorities and values. And someone sent me what turned out to be tens of millions of records of their customers and I managed to disclose it to the organization. Very often I talked to an organization, I do actually talk and try and have a video conference or something because then they can see that I'm not wearing a hoodie. I'm not a kid in a, you know, their parents basement. And I had a video conference with this company and the CISO is on there and he's like, I really like, have I been found? I use it all the time. Okay, well, you're probably not going to like what happens next. So, yeah, we had this discussion about all their data and, and the way I normally frame it is I'm like, look, you've had a breach. Can you share the disclosure notice that of course you will be sending to your customers? Because then I can include that in my messaging when I communicate later on now, knowing in the back of my mind that very often they're just not going to disclose it. They're going to try and cover it up. And it soon became evident as the discussion went offline that they were not going to disclose it. And I had some, some information via a backchannel that they're not going to disclose it. They, they're really trying to cover it up. They attributed it to an insider who they felt that they'd managed to put a lid on the whole thing, even though it was clearly now data rich, because it's been sent to me. And part of the reason they're not going to disclose it is they're publicly listed and they have an earnings call coming up. You know, like that that's now multiple levels of different things, of various legality, that is. But it's a part of the world I travel through a lot and I don't want to have a problem getting caught and ending up in a jail in that part of the world. So it unfortunately just ended up being one of these ones where I had to look at it and go processing. This may impact the ability for me to run this service. And it pains me to just file it away, but that's where we ended up.
A
Yeah. And so it's really interesting and there's multiple layers of sadness to that story. I mean, first off, just kind of abstractly, we, I think, like to believe that, you know, when there's a data breach, most organizations will disclose it. Or maybe the cynics listening are like, yeah, right, nobody's going to disclose it. I assume there's many more breaches. Do you have a flavor of like, what that ratio is? Is it 50, 50, does it veer pretty heavily toward one side and is it changing?
B
Yeah, look, you know, I reckon it is a coin flip. I think it's pretty 50, 50. When I, when I try reaching out to an organization, I reckon It's a 50, 50 chance of me getting any response at all. And even that's wild, right? Like, I mean, ask yourself this question. If, if someone sent you data and it's probably a service you've never heard of before, it's in another part of the world. And then you go to their website and you're like, all right, cool. Where do I get in touch with people? Now? They almost certainly don't have a security txt file or a vulnerability disclosure policy or a bug bounty. So you kind of try and find the contact form and you fill that out and then you go through, you go through all the social media accounts and Whichever ones allowed DM'd, you contact those as well. And you give it a few days, you're like, all right, haven't heard from them. Then I go to LinkedIn and I start trying to find people there at the company. I'm sending them messages as well. Give that a few days. And then I'm on X sending tweets. Does anyone have a security contact at this company? And by then people know exactly what's happened to the company. And then eventually we go through that process and I load the data and then, as often happens, then the organization reaches out. They're like, hey, we've just had like a thousand angry customers contact us. What's going on? Thing I've. Here is my entire paper trail, which is actually really useful when that does happen. And I normally say in the breach description, you know, there were repeated attempts to contact the organization, but they didn't reply. And then I think there's a little bit of egg on face after that. Right.
A
And for the organizations that don't disclose, right, they choose to say, you know, oh, there's an earnings call coming up, or, you know, it's bad for business in some way. You know, again, I. You seem like a good guy, Troy. And based on the conversation we're having, I mean, there's a very obvious, like, it's the right thing to do answer. Is there more to it than that? Like, do you believe it is the right business decision to be disclosing these things, like the ones that don't disclose, does it usually come back to bite them and in some way worse than the original? Like, what's your message to try and encourage people to do this for more reasons than just the goodness of their heart?
B
Well, first, there's two lenses to look at this through. So one is what is the legal obligation that the organization is under? And that will depend on where they are in the world and the type of data. Very often, including in places like the us, Australia, the eu, there's a legal obligation to report to a regulator, but not necessarily to the individuals. So a lot of data breaches get reported to some sort of Privacy officer, whoever the local regulator is, but never actually get sent to the individuals who've had their data exposed, which is kind of wild. And then there's the ethical view which is then is of course, of course is rather subjective and my rather subjective view is that if you lose someone's data you should let them know. So that's my view of it and I think that that's the way most individuals then react as well. There is an expectation on their behalf to be told if an organization exposes their data that the thing that really muddies it is organizations are very worried about things like class actions. So many data breaches, even ones that frankly are pretty benign in terms of the impact to individuals, then result in class actions. So organizations are worried about that happening in the first place and then they're worried about what they say, lest that be used in the class action. They're also worried about regulatory penalties as well. So one of the challenges we've had in Australia is how do we even get organisations to disclose things like ransomware and now I forget the legal term that's used, but now we have a construct where they do need to disclose that, but that can't then be used in any proceedings against the them because we just need to try and at least quantify the problem. So it's a very messy thing. And unfortunately what I think ends up happening is the individual victims of the breach tend to end up being put last. And organizations are absolutely prioritizing shareholders, which is kind of what they're there for as well, that is who they're accountable to. It just doesn't come across in the disclosure messages talking about how seriously they take security.
A
Well, and I have to believe that you can very often find yourself in that situation where the COVID up becomes worse than the crime. Right. And if you eventually have to disclose it and as part of the disclosure you say, oh well actually this happened two years ago and yada, yada, yada, like that then becomes a much bigger news story.
B
And you know, that's one of the pieces of advice I often give an organization. If you disclose and you do it properly, you get to define the narrative, you get to explain what's happened, you get to get on the front foot, foot. If you don't, and particularly if I have the data and then I notify my subscribers, they will find out about it, they will draw their own conclusions. If you create a vacuum, it will be filled by them and it will be filled by the press. And that's not what you want.
A
I love that advice. I thought that was extremely well said, Troy. I'm going to choose that as good a note as I need to go out on. I wanted to say a big thank you for joining us today. Really, really insightful and I appreciate your time and your insight.
B
Awesome. Thanks, mate.
Episode Title:
Cybersecurity Expert: Breaches, Ransomware, and the One Trick to Stay Safe from Hackers
Guest: Troy Hunt (Have I Been Pwned?)
Date: October 13, 2025
Host: Info-Tech Research Group
In this episode, Geoff Nielson interviews renowned cybersecurity expert Troy Hunt to explore the evolving online threat landscape as organizations and individuals reckon with escalating data breaches, ransomware attacks, and the complexities of digital trust. Troy demystifies why social engineering still trumps AI-driven hacks, provides practical advice on password hygiene, discusses organizational risk, the paradox of breach disclosure, and frames cybersecurity as an equilibrium, not an absolute. The conversation balances urgent realities, pragmatic optimism, and some unexpectedly hilarious breach anecdotes.
Social Engineering Persists:
Despite new technologies, most successful attacks are still basic social engineering, often executed by young adults, not sophisticated nation-states.
AI Disruption Overstated (For Now):
While AI dominates headlines, it hasn't yet revolutionized attack vectors as much as expected.
Repeatable Human Flaws:
Attackers exploit process and human weaknesses, not just technical ones.
Collective, Not Always Organised:
Groups like Scattered Spider echo anonymous movements of the past—collectives with loose ringleaders.
Attacks Focus:
Motivations are split between:
Everyone Is a Target:
Both organizations and individuals are exposed, with financial fraud against individuals totaling billions ($3 billion/year in Australia alone – [04:04]).
Shift from Encryption to Disclosure:
Ransomware less about "pay to unlock"; more about threatening to leak data (no guarantee criminals delete what they stole).
Underreporting and Legislation:
Disclosure laws are growing, but many breaches and payments go unreported.
Reduce Likelihood and Impact:
Getting Board Buy-in:
Real incidents (Ashley Madison, major telcos) are the fastest way to get board attention and funding.
Breach Fatigue:
Growing number of breaches leads to public desensitization and "it won’t happen to me" attitudes.
Making Risk Real:
Storytelling (including weird/funny breach incidents) helps clarify the personal consequences of breaches.
"There is an online service called Shit Express, and...you can order a box of feces online to be delivered to a recipient. Now, you want to do that anonymously for obvious reasons...But then they have a data breach...and the IP address of the sender is on every single record...Someone has gone and sent boxes of feces to High Court judges with the expectation of anonymity." (Troy Hunt, [16:35])
The "One Trick":
Use strong, unique passwords for every account, ideally stored in a password manager + always enable multi-factor authentication.
On Password Managers:
Centralized risk, yes, but still much safer than widespread password reuse. Use multi-factor and secure recovery keys.
Biometrics and Passkeys:
Not a replacement, but a good augmentation. Devices always fall back to PIN or password for recovery ([25:22]).
Origin Story:
Created after the Adobe data breach; became widely used for its simplicity and universality.
How It Works:
Collects, parses, and indexes email addresses from breach data; notifies users and helps orgs check domain impacts free.
Attack Surfaces Expanding:
More systems, users, and interoperability mean more opportunity for breaches. Misconfigured services, cloud mistakes, leaky APIs are new frontiers.
Third-Party Risks:
"Securing your house" analogy: you choose reasonable mitigations based on risk, but complete security is impossible ([35:17]).
Risk Management Model:
Total safety is not achievable; aim for rational risk reduction, using strong and unique passwords, multi-factor authentication, and reducing retained data.
Education, Not Abstinence:
Like road safety or sex education, it’s about realistic, practical preparation and response, not impossibly strict "abstinence" from online life.
Disclosure is Often Resisted:
Even well-known companies may not want to disclose, especially if there's financial (earnings call) or legal pressure.
Legal vs. Ethical Reporting:
Legal requirements to notify individuals lag behind regulatory (or shareholder) notification in many countries.
Best Advice:
If you disclose early, "you get to define the narrative." Cover-ups are likely to backfire and create bigger scandals.
On Social Engineering and Simplicity:
"The bad guys have just got to get it right. Once, you know, they find that one flaw, and particularly once they can develop a technique that they can just apply over and over and over again, they run rampage." (Troy, [01:56])
On Password Managers:
"If someone gets into my password manager? It's easy, you're screwed...But...the likelihood of compromise [without one] is much higher." (Troy, [23:26])
On Breach Disclosure:
"If you disclose and you do it properly, you get to define the narrative, you get to explain what's happened, you get to get on the front foot, foot. If you don't...that vacuum...will be filled by the press. And that's not what you want." (Troy, [57:00])
On AI Hype:
"I'm so sick of seeing these hyperbolic headlines...You don't need skills anymore. You just code your own app and it will be fine. It annoys the hell out of me." (Troy, [41:17])
On Practical Cybersecurity:
"The bar is set very low...having strong and unique passwords and preferably a second factor of authentication as well. Not foolproof, but it's a really good start." (Troy, [21:03])
For further information or to check if your data has been exposed, visit haveibeenpwned.com.