Project Svalbard, Have I Been Pwned and its ongoing independence

I appreciate what HIBP does, but I believe it serves Troy&#x27;s personal brand more than it would any corporate owner. The biggest issue is the data is super stale. Things regularly pop up in SpyCloud 6-12 months before HIBP, and as a result they are a much more attractive acquisition target.<p>There is also an unreasonable dependency on CloudFlare kool-aid for HIBP and his other services. I reached out to Troy about sponsoring Report-URI because it was a service I believed benefitted the internet. In response I received a snarky response about how I didn&#x27;t understand how web-scale CloudFlare was, when I was effectively offering to cover all the companies infrastructure costs for the foreseeable future (multiple dozens of servers and XX Gbps of bandwidth).

Sorry, but the more I read this, the more I feel like KPMG is the main reason for the failed process...<p>&gt; And so in September, we granted exclusivity to a bidder. (...) And so began the extensive due diligence. KPMG had warned me about this phase right at the beginning of the process and from memory, the word they used was something akin to &quot;onerous&quot;.<p>You&#x27;re supposed to have your ducks in a row <i>before</i> you launch the process, not after. As you&#x27;re drafting your IM, you should also be preparing a virtual data room with as much data as you reasonably expect to be asked, and board minutes are the absolute minimum that any advisor should know...<p>&gt; Among literally thousands of other requests (seriously - the total number was four figures)<p>And you don&#x27;t have to respond to all of them! You can answer any request with &quot;The company believes this can be answered as a matter of confirmatory diligence&quot;<p>From literally dummies.com[0]<p>&quot;Sellers can’t be afraid to remind Buyers that due diligence is confirmatory in nature, meaning Buyer should spend the time confirming Seller’s information and not planning, creating, and combining the two entities. The Buyer should take care of post-closing activities after closing! Otherwise, due diligence will drag on longer than necessary.&quot;<p>[0] <a href="https:&#x2F;&#x2F;www.dummies.com&#x2F;business&#x2F;corporate-finance&#x2F;mergers-and-acquisitions&#x2F;how-to-time-the-due-diligence-phase-in-an-ma-deal&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.dummies.com&#x2F;business&#x2F;corporate-finance&#x2F;mergers-a...</a>

I don’t think he actually wanted to sell HIBP. He was way more focused on providing detailed constraints for the future of how it should be run, than in listing its assets and how those might benefit the future owner.<p>I think what Troy actually wanted was resources and support and management for his vision of the future HIBP. That’s not usuallY what a sale is, and it sounds like he paid a lot to learn that lesson.<p>It seems to me like Troy treats HIBP as a mission, not a business, and in the US at least, a nonprofit would be an option to organize financial resources around a mission. As a private company, he could seek investment from like-minded folks with deep pockets, but that would likely come with external pressure to show a profit.

Thanks to Troy for HIBP and the story here.<p>It may be because he cannot speak towards the specifics of the deal, but I truly hope there was a breakup clause.<p>For those un-aware, M&amp;A deals eventually go exclusive which, as this post points out, is very very time consuming, which means expensive. Those who are involved in the deal itself, very little work gets done that runs the business.<p>So to protect against the downside for the company getting purchased, a break up clause to give them cash if the purchasing company does not follow through.<p>Only companies with in great negotiating positions can command these things, but sounds like Troy was in a great position when looking at the initial 43 buyers.

Damn that sounds like an incredibly exhausting experience, and all he got out of it was... a hugely expensive bill.<p>All I can say is props to him to keeping his principles, I really hope he&#x27;s be able to grow HIBP into a sustainable gig for himself and a small core team.

This whole things seems extremely naive and almost like a different Troy Hunt...<p>Why KPMG? Their competence is below average for an above average price hiding behind a big corporate name. Why answer thousands of questions, the majority could have just been a copy paste one liner. You&#x27;re selling a side gig, not a massive company. Also why selling it in the first place and then not wanting to give up control by limiting how the buyer can&#x2F;wants to do with HIBP? If he didn&#x27;t want to give away control then don&#x27;t sell, find investment, find sponsors, find a business model which pays the bills and allows you to hire staff so you can scale it yourself. Decide what you want first :)<p>EDIT:<p>I <i>think</i> the increasing exposure and interest in HIBP has made Troy fantasize about a potentially nice cheque which a buyer could write him which could put him into early retirement, but then he realised two things along the process which made him change his mind on selling:<p>- HIBP is not really worth the amount that could retire a family (interest &lt;&gt; value, website hits &lt;&gt; value, etc.)<p>- The fan messages gave him a bad concience<p>In the end the whole thing was not worth it.

&gt; Apparently, the way these M&amp;A processes run is that as you really get down to the wire with the final bidders, eventually someone will ask for exclusivity. This grants them a window of time in which they can do extensive due diligence to the exclusion of all other bidders.<p>This is not always the case, and it&#x27;s certainly not a requirement to get a deal across the finish line. More frequently, you&#x27;ll select from the list of buyers who provided credible non-binding offers – presumably those with good strategic fit &#x2F; rationale for the acquisition and that can provide certainty that they have the funds available to do the deal (e.g. they have the pile of cash and their board has already approved the acquisition.<p>Then you give that select list of final bidders more access to management, including below C-suite (i.e. the opportunity to ask technical questions to engineers and middle managers to really understand what makes the business what it is) and set a deadline for final, binding offers, of which you will choose that which creates the highest value to shareholders.<p>Exclusivity means betting all your money on one horse, and it can make sense in some instances, but preferably conditional on someone making a huge offer that you believe is bona fide and hopefully before you launch the broad process (140+ buyers, in this case) i.e. they are trying to preempt the process and are willing to pay up, and in return for sparing you the publicity &#x2F; distraction &#x2F; exhaustion from running the sale process, you grant them exclusivity.

I&#x27;m surprised the author contacted KMPG to run M&amp;A for a small independently run website..? Not sure what I&#x27;m missing here.

Thank you for sharing... 43 sounds super painful, and super tricky to safely share!<p>For others here: part of &quot;companies are bought, not sold&quot; is not just price difference, but whether the deal happens at all. Your startup needs to be solving something critical for an executive , eg, cuts red tape on internal politics, and enough so that they&#x27;ll push the deal through because they need it. Good signal is inbound, but not only, and part of your job is to help figure that out or get that inbound.<p>The reverse is still possible, but now you both underprice and need to find a firm that is efficient here. As part of my surprise in seeing gitlab internal docs in the open.. they explicitly look for good but struggling product teams to scoop up for basically annual bonus levels, and it sounds like they can do that quickly... If that&#x27;s what you want.

I think Troy is struggling to find his own place in this venture. I appreciate his take on selling it to a good buyer, because a massive password list would otherwise attract shady buyers.<p>You cannot sell something and keep it at the same time. That&#x27;s not what selling is. It&#x27;s good to see governments taking interest at this, I&#x27;m happy about paid plans. To keep HIBP under his original vision and for his to enjoy his lifestyle, renting would be the ideal solution. Not selling.

My confidence level on this is very low, because what do I know, but my emotional commitment to this take, having been a small business operator (in Hunt&#x27;s field) for a couple decades now, is very high:<p>This makes me very sad. Not that the deal fell through, because of course it did, but because of the process he undertook. Every part of it makes me sad. Any correction or rebuttal I get to this will make me happier, so I hope I&#x27;m wrong about a lot of it.<p>First, the adage that companies are bought, not sold, has in my experience and the experience of my friends been pretty much true.†<p>Next, The most valuable thing about HIBP isn&#x27;t the underlying work Hunt did --- lots of companies have done equivalent work --- but HIBP&#x27;s notoriety and popularity.<p>Which to me means that every credible acquirer of HIBP already knew he was for sale --- because <i>everybody</i> is for sale --- and already fully capable of reaching out to Hunt and offering him some kind of deal. The list of bizarre stories I&#x27;ve heard about random projects that have received corpdev offers like this is long.<p>Which to me suggests that putting a lot of work into a deck that explains HIBP and what makes it valuable was not a good use of time. If you&#x27;re explaining, you&#x27;re losing.<p>Then there&#x27;s reaching out to your tax advisor to coordinate the sale. I have only heard bad stories about retaining financial firms to shop companies. In this case there&#x27;s the added fact of the enormous incentive mismatch: Hunt is engaging a financial firm to act as his agent with a bunch of their own clients and client prospects, practically every one of which seems like it&#x27;d be worth more to KPMG than the HIBP &quot;sale&quot; or any ongoing relationship with Hunt himself.<p>Then there&#x27;s what KPMG actually did, which was to arrange FORTY(!) pitches. To each of which he disclosed traffic stats and revenue numbers!<p>Bringing us back to HIBP&#x27;s value being its notoriety, in that: anyone you have to explain HIBP to is probably not a qualified prospect. Also, just the idea that there would be 40+ qualified prospects to begin with.<p>My feeling is that a pretty big chunk of YC companies get a whole stream of invitations to corpdev meetings equivalent to the ones Hunt went through here. And that a big part of YC&#x27;s founder education is convincing founders <i>never to go to these meetings</i>, because they&#x27;re so unlikely to have good outcomes, and because the counterparties in those meetings are basically trained and selected to efficiently screw founders over. Here, it seems like Hunt paid for the privilege of experiencing this.<p>Then there&#x27;s the deck itself; the one detailed slide of which we get to see is an exquisitely detailed rationale for why Hunt&#x27;s presence is vital for the continued success of HIBP. &quot;This is what the organisations bidding on HIBP were buying: trust in me.&quot; That&#x27;s a description of a job interview, not a company sale. Elsewhere on this thread there&#x27;s a comment saying HIBP should be worth 8-9 figures. Can we think of a company with this slide in their deck and that valuation?<p>In the end, he gets to term sheets with one potential company, and goes through what appears to be a full-fledged warrants-and-reps due diligence process, the completion of which is rewarded with a polite &quot;no thank you&quot; from the company.<p>This seems like the longest, most expensive job search anyone here has ever read about. I <i>assume</i> he paid KPMG for their work on this, and what KPMG did here looks to me like malpractice.<p>We give YC a lot of shit and they sure deserve a lot of that shit, but it&#x27;s not unusual for me to look at a security founder story and think &quot;this person really, really would have benefited from going through YC&quot;.<p>I like what Troy Hunt is doing a lot and he seems great. I hope things go better for him building this project up without trying to shop it for new owners.<p>† <i>The exceptions to &quot;bought not sold&quot; that we read about most frequently here are companies put up on company-flipping brokerage sites and sold solely for their revenue streams.</i>

It&#x27;s interesting what HIBP reveals about both attackers and defenders.<p>HIBP held a long randomly generated password I used exclusively on tvtropes. It was in plaintext in a pw dump, suggesting they weren&#x27;t even hashing at the time.<p>I contacted tvtropes a few times but got ignored with no announcement.<p>It&#x27;s not a banking site, not sure what we should expect. But given compelling evidence of a breach and making no announcement to users seems irresponsible.

Sorry but, how is Have I Been Pwned anything but a text search of data that is already publicly available?<p>Normally a company is valuable because of some kind of value add. Either they generate data nobody else can, or they do something with that data nobody else can. HIBP does neither of those things. It literally searches one column of a database, and tells you if there was a match. You could run HIBP using a total of 1 SQL query, with a fancy template in front. It&#x27;s essentially just a hobby project of a software dev. who wants something to do on the side. It is infinitely more valuable to Troy as a resume booster than to any company.

He should really have built a password validating&#x2F;auditing software for commercial use.<p>I used hibp in a corporate setting, like most others I looked to see if there was a way to check AD and Linux for bad passwords, a few people had some open sourcey things that only work retroactively with manual execution. We evaluated the need and decided on pursuing an unrelated commercial product that does all the password auditing using known bad passwords among a long list of other things. Since the start I wondered why HIBP did not do this. Having existing enterprise customers would have given him a lot more leverage.

Anyone have a clue who the potential acquirer was? Just curious as to whether they wanted the brand of Troy Hunt as the databases are public and most technically savvy organizations can put one together.

After reading that, I think that what Troy needs is an employee or two (assuming the business supports it).

&gt; So we wrapped it up, I got the single largest bill I&#x27;ve ever received in my life and then I sat down and started writing this blog post.<p>Where did the bill come from? Did he get billed by the prospective buying company for <i>not</i> purchasing him?

I believe that Have I Been Pwned provides a useful service, but I find it very strange that needs to be valuated and sold like a startup when it’s essentially been able to survive because people singularly trust Troy with a bunch of illegally obtained material. Like, how do you buy that; how could you ethically and legally make money from it? Why can’t it just continue being supported by contributions?

I think that&#x27;s good that he doesn&#x27;t sell, having built a enormous marketing presence and gained market trust is only a minor step away from actually monetizing that. Selling what he has right now does indeed come with golden handcuffs (sucks), but also any purchase price would come in vastly under the projects&#x27; potential.<p>He could easily leverage this marketing presence to build a security SaaS company, create a huge conference, launch a big consultancy,...<p>If you value independence then running your own profitable balance sheet is the best thing you can do.<p>Hell, it wouldn&#x27;t even be hard to attract talent to the cause at the point he&#x27;s at.