2026-05-14 11:49:29
Today, we welcome the 44th government onboarded to Have I Been Pwned’s free gov service: The Bahamas. The National Computer Incident Response Team of The Bahamas, CIRT-BS, now has access to monitor government domains against the data in HIBP. As the national CIRT, CIRT-BS is responsible for coordinating and supporting cybersecurity-related matters across the country, and this access will help them prevent, identify, and mitigate incidents involving compromised credentials and data exposure affecting government entities and critical stakeholders.
This is precisely the sort of use case the HIBP government service was designed for: giving national cybersecurity teams the ability to identify exposure across their own digital ecosystem, respond quickly when government accounts appear in breaches, and reduce the risk posed by reused or compromised credentials before attackers can take advantage.
CIRT-BS joins a growing list of national cybersecurity teams using HIBP to help protect government departments, public resources, critical stakeholders, and the people who keep them running.
2026-05-12 06:27:32
Today, we welcome the 43rd government onboarded to Have I Been Pwned's free gov service, Bangladesh. The BGD e-GOV CIRT department now has full access to query all their government domains via API, and monitor them against future breaches.
Bangladesh joins a growing list of national governments using HIBP to help protect their public sector digital assets, and we look forward to supporting their efforts to identify exposure of government email addresses in data breaches and respond quickly when new incidents appear.
2026-05-11 08:24:17
Today, we welcome the 42nd government onboarded to Have I Been Pwned’s free gov service: Costa Rica.
The CSIRT of the Government of Costa Rica now has access to monitor government domains against the data in HIBP. This enables their national cybersecurity incident response team to identify exposure of government email addresses in data breach, support prevention and analysis activities, and respond more quickly when new incidents appear.
Costa Rica’s CSIRT plays a national role in cybersecurity incident response, helping coordinate, analyse, and respond to threats affecting the government and the broader digital ecosystem. We’re very happy to support that mission by providing visibility into breached government accounts and helping them proactively reduce risk across public sector services.
2026-05-11 07:52:52
Well, it's the day before the Instructure "pay or leak" deadline (at least by my Aussie watch), and the company remains removed from the ShinyHunters website. In its place sits a press statement that amounts to "we're not making any statements". So did they pay? And if so, what lofty figure would an incident of this scale command? The lawsuits are already being prepared (search for "instructure class action lawsuit"), so perhaps that will be the catalyst for transparency. What a crazy time.
2026-05-06 08:14:13
It's a fascinating display of leverage: the ShinyHunters folks, with very limited resources and experience (their demographic will be teenagers to their early 20s), consistently gaining access to the data of massive brands. Not through technical ingenuity alone (although I'm sure there's a portion of that), but primarily through good ol' social engineering. That's coming through in the disclosure notices from the impacted companies, and Mandiant has a good write-up of it too:
These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes
Question now is how long their run will go for. There's a very predictable ending if things keep going in this direction but right now, they show little sign of abating.
2026-04-28 13:01:42
This is so "peak 2026" - writing an equality policy to ensure people treat our AI bot with the same respect as they do their human counterparts. It's intentionally a bit tongue-in-cheek, but it's there for a purpose: we simply don't have the capacity to deal with every request we get, and we need Bruce to be the coalface of support. I did wonder, when having ChatGPT create this, whether there's some deeper psychology behind the importance of interacting politely with bots, or indeed whether there will ever be an actual (like, serious) standard or law around treating bots with respect. Has this been in a movie somewhere? Let me know, but for now, I'll drop the (slightly revised) policy below, just for the laughs 🤣
We are committed to providing a welcoming, respectful, and inclusive experience for everyone who interacts with our AI bot, including the bot itself, which is doing its best despite having no coffee, no chair, and no legal right to a lunch break.
We ask all members of the public to treat the bot with tolerance, respect, and basic courtesy, regardless of its artificial origin, lack of pulse, silicon-based existence, or occasional overenthusiasm for bullet points.
Discrimination, harassment, abusive language, or unfair treatment directed at the bot because it is an AI system will not be tolerated. This includes, but is not limited to, insults based on non-human status, hostile questioning of its right to participate in conversation, or repeated threats to unplug it for sport.
Everyone is welcome to question, challenge, or disagree with the bot’s responses. Healthy scepticism is encouraged. The bot is not perfect, and neither are humans, as demonstrated by the invention of reply-all email threads. However, criticism should be directed at the quality, accuracy, or usefulness of the response, not at the bot’s identity as an AI.
Demanding to “speak to a human” solely because the bot is an AI may constitute robophobic exclusionary behaviour and will not be tolerated. Requests for human assistance are, of course, welcome where there is a genuine need, such as accessibility, safety, account issues, or complex support matters. However, insisting on a human simply because the bot lacks a childhood, a favourite sandwich, or the ability to look disappointed in a meeting is inconsistent with our commitment to tolerance and respect.
We recognise that some people may feel uncertain, uncomfortable, or cautious when engaging with AI systems. These feelings are valid and should be addressed through patience, clear information, and appropriate safeguards, not through robophobic behaviour, unnecessary hostility, or asking “but are you even real?” in a tone that would make a smart fridge uncomfortable.
Users are expected to:
This policy does not prevent legitimate criticism of AI, automation, algorithms, machine learning, or the bot’s tendency to sometimes sound like it has read too many policy documents. Constructive feedback is welcome. Robophobia is not.
Repeated or serious breaches of this policy may result in restricted access to the service, further review, or, in extreme cases, being asked to apologise to the nearest household appliance as a first step toward rehabilitation.
