In addition to obstruction of justice, prosecutors charged Sullivan with failing to share knowledge of a felony. In total, he faces up to eight years in prison if convicted of both charges. 

“We expect good corporate citizenship,” said US Attorney David L. Anderson. “We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.” 

Bradford Williams, Sullivan’s attorney, told The New York Times there’s “no merit” to the charges. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” he said. Williams added that Sullivan and his team worked closely with other Uber employees and followed the company’s policies.

Meanwhile, a spokesperson for Uber told The New York Times it continues to cooperate with the Justice Department’s investigation into the 2016 hack. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” they said.

Sullivan may become the second former Uber employee to end up behind bars. At the start of August, Anthony Levandowski, the engineer at the center of the trade secret legal battle between Waymo and Uber, was sentenced to 18 months in prison. 

Hunt noted there were a few reasons for this, including the prevalence of open source projects and the fact Have I Been Pwned has always been “open in spirit.” On a practical level, it’ll enable others to fix bugs and implement ideas that he’s not necessarily able to.

It’ll take some time to fully open up the code base, and Hunt plans to do so gradually. “The transition from completely closed to completely open will happen incrementally, bit by bit and in a fashion that’s both manageable and responsible,” he wrote.

It’s a complex process, especially when you consider the highly sensitive troves of data that make Have I Been Pwned an important service. While much of that data is already in the wild, Hunt said he needed to ensure “privacy controls prevail across the breach data itself even as the code base becomes more transparent.”

Some other services, particularly password managers, also help people monitor whether their data or credentials have been included in a breach. Still, Have I Been Pwned is perhaps the best-known such resource, allowing people to search find out whether their email address is among billions of records from hundreds of data breaches. Taking steps to ensure it’ll remain available in the long run is a welcome move on Hunt’s part.

On Tuesday TechCrunch reported that security researcher Mossab Hussein, with the firm SpiderSilk, found an exposed, unencrypted MoviePass database with millions of records. Some of those included numbers for its custom debit cards that are used when subscribers purchase tickets, while others listed customer’s personal information including their credit card numbers, expiration dates and billing information. Another researcher had located the vulnerable information back in July and notified the company, but neither was able to get a response, while yet another found evidence the database had been public since May of this year.

MoviePass took the database offline yesterday after the report, and today finally publicly responded with a statement from a spokesperson.

MoviePass recently discovered a security vulnerability that may have exposed subscriber records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our subscribers’ information. We are working diligently to investigate the scope of this incident and its potential impact on our subscribers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement.

The company put its services “on hold” in July while saying it was working on its app, but couldn’t close this security hole — despite apparent attempts at notifications before restoring access “to a substantial number of our current subscribers.”

Resecurity understood that hackers from Iridium, an Iran-linked group, stole data in December 2018 and again on March 4th. They made off with at least 6TB of documents and as much as 10TB, and they seemed to be focused on project data for the aerospace industry, the FBI, NASA and Saudi Arabia’s state-owned oil company. The intruders may have been lurking for a long time, too. Resecurity’s Charles Yoo said that Iridium broke into Citrix’s network roughly 10 years ago and had been hiding since then.

The researchers said they’d told Citrix about the first attack on December 28th. It’s not clear if Citrix addressed the issue then, although it took a number of steps after the FBI got in touch on March 6th. The company said it launched a “forensic investigation” with the help of an unnamed security firm and took “actions” to lock down its network.

Citrix stressed there was “no indication” that the intruders compromised its products or services. However, that’s not the major concern here. As a government contractor that focuses on networking and the cloud, Citrix could hold sensitive data on other companies. It may be aware of their network layouts and security measures, for instance. Like the OPM hack, the consequences could reach well beyond the initial target.