Case Study: Have I Been Pwned achieves 90% infrastructure cost savings and reliable API protection with Cloudflare

Have I Been Pwned - Customer Case Study

Troy Hunt, creator of the HaveIBeenPwned (HIBP) service and a respected internet security researcher, needed to keep his breach-aggregation site and API reliable and affordable. Running on Microsoft Azure, HIBP regularly faces huge, sudden traffic spikes after high-profile breaches, which max out CPUs, drive up autoscaling costs and risk downtime — and Hunt was also seeing abusive use of the API that undermined its purpose.

Hunt implemented Cloudflare’s Rate Limiting to cap requests per IP, throttling abusive actors while leaving normal users unaffected. The result: HIBP stays fast and trustworthy, malicious API use is prevented, infrastructure costs fell by 90%, and 99.5% of requests are served from Cloudflare’s cache.

Have I Been Pwned

Troy Hunt

Creator