Troy Hunt

Career

Troy Adam Hunt is an Australian web security consultant whose work spans public education, security research, and the development of tools designed to help individuals and organizations understand their exposure to data breaches. He is widely recognized as the creator and operator of Have I Been Pwned? (HIBP), a data breach search website that allows users to check whether their personal information has been compromised in known breaches.

Prior to HIBP, Hunt created ASafaWeb, a tool that performed automated security analysis on ASP.NET websites. He has also authored several dozen security-related courses on Pluralsight, an online education and training platform, and serves as one of the primary course authors for Pluralsight's Ethical Hacking path, a curriculum aligned with the Certified Ethical Hacker certification.

Have I Been Pwned?

Have I Been Pwned? has become one of the most widely referenced resources in the data breach landscape. As of January 6, 2023, Hunt had been involved in the publication of 644 data breaches through the platform. As of June 2018, HIBP had recorded more than 5 billion compromised user accounts. The governments of Australia, the United Kingdom, and Spain use the service to monitor their official domains, and commercial services including 1Password, Eve Online, Okta, and Kogan have integrated HIBP into their account-verification processes. In October 2018, Gizmodo included HIBP in its list of "100 Websites That Shaped the Internet as We Know It."

Notable Work and Public Disclosures

Hunt has been involved in several high-profile data breach disclosures and public commentaries. Following the Ashley Madison data breach in August 2015, he publicly criticized the company for its handling of user notifications. In February 2016, after children's toy manufacturer VTech updated its terms of service in the wake of a major breach, Hunt published a blog post criticizing the policy as "grossly negligent" and subsequently removed VTech's breach data from HIBP to limit its spread.

In February 2017, Hunt published details of vulnerabilities in CloudPets, an Internet-connected children's toy, which had exposed 820,000 user records and 2.2 million audio files. In November 2017, he testified before the United States House Committee on Energy and Commerce regarding the impact of data breaches. That same month, he joined Report URI, a project launched by Scott Helme in 2015 that provides real-time monitoring of CSP and HPKP violations.

In March 2025, Hunt himself became the subject of a security incident when a phishing campaign compromised his Mailchimp credentials, resulting in the theft of over 16,000 email addresses along with associated geolocation and IP address data. Hunt disclosed the incident publicly on his website, attributing his lapse to fatigue, and subsequently added the stolen email addresses to HIBP.

Education

Security education is a central component of Hunt's professional work. In addition to his Pluralsight courses, he speaks at technology conferences and conducts workshops. His primary workshop, Hack Yourself First, is designed to help software developers with limited security backgrounds understand how to defend their applications by approaching them from an attacker's perspective.

Recognition

Hunt has held the Microsoft MVP designation for Developer Security continuously since 2011 and has been a Microsoft Regional Director since 2016. In 2018, he received AusCERT's Individual Excellence in Information Security award and the Grand Prix Prize for Best Overall Security Blog at the European Security Blogger Awards.