There is also an unreasonable dependency on CloudFlare kool-aid for HIBP and his other services. I reached out to Troy about sponsoring Report-URI because it was a service I believed benefitted the internet. In response I received a snarky response about how I didn't understand how web-scale CloudFlare was, when I was effectively offering to cover all the companies infrastructure costs for the foreseeable future (multiple dozens of servers and XX Gbps of bandwidth).
How it is unreasonable? Do you criticize the hosting platform / cdn of every service you use?
CF has been a huge help to Troy with optimizing caching and helping him with the k-anonymity setup to make the scale of HIBP possible with less infrastructure. Their network is top notch (sub 10ms for most population centers) and they are trying to give back to the broader community by donating the bandwidth and cache to greater good projects like this.
So basically what CF does today? Except he would have reengineer everything to fit a new setup? Was he snarky or just explaining himself?
Reg. Value of a single person company.
>This was another really unexpected part of the experience - how people perceived me personally and put a value on my brand.
May be Troy really didn't expect that only person running an entity to be bought would be valued, sometimes even higher than the product/service itself; but it also needs to be understood that the company which is willing to buy an entity for a single person is undertaking an extraordinarily huge risk due to the Bus factor.
Reg. Compliances of a Business when running as a single person.
>I still manually verified every breach, hand edited every logo of a pwned company, issued (and chased) every invoice, did the tax returns and prepared the business activity statements.
At-least Troy seems to be located in a jurisdiction with straight forward business regulations. May be, most of the compliances could be automated.
There are countries out there where companies, even if run by a single person needs to comply with literally hundreds of regulations, with a new one popping up each month all to benefit the corrupt bureaucracy i.e. If you want to comply every regulation there, you still need to bribe. But the system and people who help with such regulations(auditing, lawyers) favour those who don't comply just because of larger bribes! So, even if you automate every other part of our business, you cannot automate out of corrupt bureaucracy.
M&A is one of the fundamental hurdles in a single person company, although there are other advantages such as freedom, cost-benefit etc.[1]
[1]https://hitstartup.com/being-single-founder-vs-having-co-fou...
> And so in September, we granted exclusivity to a bidder. (...) And so began the extensive due diligence. KPMG had warned me about this phase right at the beginning of the process and from memory, the word they used was something akin to "onerous".
You're supposed to have your ducks in a row before you launch the process, not after. As you're drafting your IM, you should also be preparing a virtual data room with as much data as you reasonably expect to be asked, and board minutes are the absolute minimum that any advisor should know...
> Among literally thousands of other requests (seriously - the total number was four figures)
And you don't have to respond to all of them! You can answer any request with "The company believes this can be answered as a matter of confirmatory diligence"
From literally dummies.com[0]
"Sellers can’t be afraid to remind Buyers that due diligence is confirmatory in nature, meaning Buyer should spend the time confirming Seller’s information and not planning, creating, and combining the two entities. The Buyer should take care of post-closing activities after closing! Otherwise, due diligence will drag on longer than necessary."
[0] https://www.dummies.com/business/corporate-finance/mergers-a...
Everything in his list sounds like what you need to check the audit and compliance boxes at any "real" company. I've been through a dozen audits from prospective _customers_ that are worse than his description, even apart from our internal audits, so if someone was going to buy a company I'd expect essentially a superset of BS from all of those different inquiries. You sometimes answer the audit optimistically, then use that as your framework to write the policies and figure out how you're going to implement them before you submit your response. "How do you sanitize media for disposal?" "Oh shit, I guess we need a document that says how we dispose of media." - problem solved!
Yeah, it's rough. KPMG should have done their own diligence to see that he wasn't serious - if you're not willing to jump through some of those hoops then you're not ready for a big-boy company.
That said, I don't put all of the blame on KPMG. It takes only a few minutes searching on the internet or speaking with advisors to learn that shopping for a buyout is a long, extremely hard process. In particular, I couldn't help but audibly laugh at Hunt's seeming incredulity at the request for "Documentation of the Company's technical operations". Hunt is trying to sell a tech company whose primary business value comes from the technical infrastructure, operations, and data. I don't want to sound too blunt, but...no fucking shit the buyers are going to want to know about his technical processes and infrastructure. Did he seriously think someone would even think about buying HIBP without investigating exactly what technical stack and data they are buying? Even for companies where the value isn't as based in the tech processes, nobody wants to buy a pile of steaming spaghetti code.
It should be common sense that this is the type of information that buyers would ask for. This list of tech processes and documentation of infrastructure is something that should have been put together first thing before Hunt even started shopping around.
By the way the game theory and signaling is intense!
I think what Troy actually wanted was resources and support and management for his vision of the future HIBP. That’s not usuallY what a sale is, and it sounds like he paid a lot to learn that lesson.
It seems to me like Troy treats HIBP as a mission, not a business, and in the US at least, a nonprofit would be an option to organize financial resources around a mission. As a private company, he could seek investment from like-minded folks with deep pockets, but that would likely come with external pressure to show a profit.
It may be because he cannot speak towards the specifics of the deal, but I truly hope there was a breakup clause.
For those un-aware, M&A deals eventually go exclusive which, as this post points out, is very very time consuming, which means expensive. Those who are involved in the deal itself, very little work gets done that runs the business.
So to protect against the downside for the company getting purchased, a break up clause to give them cash if the purchasing company does not follow through.
Only companies with in great negotiating positions can command these things, but sounds like Troy was in a great position when looking at the initial 43 buyers.
I hope he got good advice, because this sounds really bad. HIBP is an amazing resource, and should easily command an 8-9 figure exit for the founder. It's disappointing to learn that the one suitor he settled on ended up being a dud.
All I can say is props to him to keeping his principles, I really hope he's be able to grow HIBP into a sustainable gig for himself and a small core team.
Why KPMG? Their competence is below average for an above average price hiding behind a big corporate name. Why answer thousands of questions, the majority could have just been a copy paste one liner. You're selling a side gig, not a massive company. Also why selling it in the first place and then not wanting to give up control by limiting how the buyer can/wants to do with HIBP? If he didn't want to give away control then don't sell, find investment, find sponsors, find a business model which pays the bills and allows you to hire staff so you can scale it yourself. Decide what you want first :)
EDIT:
I think the increasing exposure and interest in HIBP has made Troy fantasize about a potentially nice cheque which a buyer could write him which could put him into early retirement, but then he realised two things along the process which made him change his mind on selling:
- HIBP is not really worth the amount that could retire a family (interest <> value, website hits <> value, etc.)
- The fan messages gave him a bad concience
In the end the whole thing was not worth it.
[1] https://www.troyhunt.com/10-personal-finance-lessons-for-tec...
What do you think that amount is?
I mean, Australia's median household income is US$44,000 which you could achieve with US$1.1 million and an investment paying 4% above inflation.
I can easily imagine HIBP being valued that much by the right buyer - such as a company with an anti-credential-stuffing product.
Of course, someone hoping to retire and live a life of luxury would be a different matter.
PS: check the ABS, it's different median last time I checked.
I have a perennial objection to the "Silicon Valley Way" where you try to build a scalable product or service and immediately look for funding (and later a buyer).
Normal companies just start. And try to be profitable quickly. I think this is probably the issue as well that Troy eventually found there. I think he should really be thinking: "What is my service and what is my product, and what is the 80-20 of where my product is worth the most."
And I don't mean dumb things like ads. I think he should be doing custom services for big companies that care about security.
I know these in principle should be simple. But the man is a rock star and should be able to cut through a lot of the bureaucratic BS.
Agreed, and I also didn't mean to suggest that, but I am still surprised that Troy made of himself such a fool by hiring KPMG for really anything. He's a tiny one person business/sole trader, there is absolutely nothing which KPMG could do for him which another professional couldn't have done much more effective, cheaper and faster.
KPMG are most foremost sales people. They did what they are trained well to do, make him feel bigger than he is. "Why don't we introduce you to our <whatever we wanna rip you off with> team", "have a seat mr. hunt", "want a galss of this amazing champage whilst my sexy secretary calls for the big boss to talk to you?". LOL They totally got him. I'm sorry but that's really really foolish and I sort of lost a bit of respect for him there as soon as he mentioned KPMG ¯\_(ツ)_/¯
This is not always the case, and it's certainly not a requirement to get a deal across the finish line. More frequently, you'll select from the list of buyers who provided credible non-binding offers – presumably those with good strategic fit / rationale for the acquisition and that can provide certainty that they have the funds available to do the deal (e.g. they have the pile of cash and their board has already approved the acquisition.
Then you give that select list of final bidders more access to management, including below C-suite (i.e. the opportunity to ask technical questions to engineers and middle managers to really understand what makes the business what it is) and set a deadline for final, binding offers, of which you will choose that which creates the highest value to shareholders.
Exclusivity means betting all your money on one horse, and it can make sense in some instances, but preferably conditional on someone making a huge offer that you believe is bona fide and hopefully before you launch the broad process (140+ buyers, in this case) i.e. they are trying to preempt the process and are willing to pay up, and in return for sparing you the publicity / distraction / exhaustion from running the sale process, you grant them exclusivity.
Back in April during a regular catchup with the folks at KPMG about some otherwise mundane financial stuff (I've met with advisers regularly as my own financial state became more complex), they suggested I have a chat with their Mergers and Acquisition (M&A) practice about finding a new home for HIBP. I was comfy doing that; we have a long relationship and they understand not just HIBP, but the broader spectrum of the cyber things I do day to day.
https://www.troyhunt.com/project-svalbard-the-future-of-have...
They have other business lines. But they aren’t notable. If you’re a top M&A banker, or even the best in a small niche, you’re at a bulge bracket or a boutique. Not KPMG.
All of the Big 4 "accounting firms" actually also house the largest consulting companies in the world, but somehow their old reputation of being "primarily an accountant / auditor" keeps sticking.
For others here: part of "companies are bought, not sold" is not just price difference, but whether the deal happens at all. Your startup needs to be solving something critical for an executive , eg, cuts red tape on internal politics, and enough so that they'll push the deal through because they need it. Good signal is inbound, but not only, and part of your job is to help figure that out or get that inbound.
The reverse is still possible, but now you both underprice and need to find a firm that is efficient here. As part of my surprise in seeing gitlab internal docs in the open.. they explicitly look for good but struggling product teams to scoop up for basically annual bonus levels, and it sounds like they can do that quickly... If that's what you want.
From having legit inbound interest, you still need to find an executive champion on the acquirer's side who'll spend months pushing through the lawyers, politics, etc, and ideally, has done it before. Not easy. They may not be the person who reached out to you, but they are the one(s) you need to identify, make the bet on, convince, and iterate with as issues arise. If they're senior enough, they can make it Just Happen.
Maybe the perspective here is selling a business is the ultimate big & messy & relationship-heavy enterprise sales process. The process described in the post sounds like the numbers approach of SaaS (outbound reachouts to BD people -> a few conversations -> sell), but not with the messy human parts of enterprise. -- For example, it's unusual to bring in someone like KPMG due to deal size and risks around disintermediating the owner from the buyer during relationship building. (Individual advisors here are more normal for slightly bigger deals, and they'd have more skin in the game & involvement than a big firm.) -- As another, was DefCon time hanging out with the CEO or #2 of the company and the champions?
Not easy! The advice I got here is 90-99% of these convs fail, so it's useful to be wary & understand.
You cannot sell something and keep it at the same time. That's not what selling is. It's good to see governments taking interest at this, I'm happy about paid plans. To keep HIBP under his original vision and for his to enjoy his lifestyle, renting would be the ideal solution. Not selling.
This makes me very sad. Not that the deal fell through, because of course it did, but because of the process he undertook. Every part of it makes me sad. Any correction or rebuttal I get to this will make me happier, so I hope I'm wrong about a lot of it.
First, the adage that companies are bought, not sold, has in my experience and the experience of my friends been pretty much true.†
Next, The most valuable thing about HIBP isn't the underlying work Hunt did --- lots of companies have done equivalent work --- but HIBP's notoriety and popularity.
Which to me means that every credible acquirer of HIBP already knew he was for sale --- because everybody is for sale --- and already fully capable of reaching out to Hunt and offering him some kind of deal. The list of bizarre stories I've heard about random projects that have received corpdev offers like this is long.
Which to me suggests that putting a lot of work into a deck that explains HIBP and what makes it valuable was not a good use of time. If you're explaining, you're losing.
Then there's reaching out to your tax advisor to coordinate the sale. I have only heard bad stories about retaining financial firms to shop companies. In this case there's the added fact of the enormous incentive mismatch: Hunt is engaging a financial firm to act as his agent with a bunch of their own clients and client prospects, practically every one of which seems like it'd be worth more to KPMG than the HIBP "sale" or any ongoing relationship with Hunt himself.
Then there's what KPMG actually did, which was to arrange FORTY(!) pitches. To each of which he disclosed traffic stats and revenue numbers!
Bringing us back to HIBP's value being its notoriety, in that: anyone you have to explain HIBP to is probably not a qualified prospect. Also, just the idea that there would be 40+ qualified prospects to begin with.
My feeling is that a pretty big chunk of YC companies get a whole stream of invitations to corpdev meetings equivalent to the ones Hunt went through here. And that a big part of YC's founder education is convincing founders never to go to these meetings, because they're so unlikely to have good outcomes, and because the counterparties in those meetings are basically trained and selected to efficiently screw founders over. Here, it seems like Hunt paid for the privilege of experiencing this.
Then there's the deck itself; the one detailed slide of which we get to see is an exquisitely detailed rationale for why Hunt's presence is vital for the continued success of HIBP. "This is what the organisations bidding on HIBP were buying: trust in me." That's a description of a job interview, not a company sale. Elsewhere on this thread there's a comment saying HIBP should be worth 8-9 figures. Can we think of a company with this slide in their deck and that valuation?
In the end, he gets to term sheets with one potential company, and goes through what appears to be a full-fledged warrants-and-reps due diligence process, the completion of which is rewarded with a polite "no thank you" from the company.
This seems like the longest, most expensive job search anyone here has ever read about. I assume he paid KPMG for their work on this, and what KPMG did here looks to me like malpractice.
We give YC a lot of shit and they sure deserve a lot of that shit, but it's not unusual for me to look at a security founder story and think "this person really, really would have benefited from going through YC".
I like what Troy Hunt is doing a lot and he seems great. I hope things go better for him building this project up without trying to shop it for new owners.
† The exceptions to "bought not sold" that we read about most frequently here are companies put up on company-flipping brokerage sites and sold solely for their revenue streams.
My reading is that the interested company, being the large amorphous blob that it is, decided in some separate cortex to change their business model while the due-diligence nitty gritty was underway, and Troy decided to cut out.
WeWork?
HIBP held a long randomly generated password I used exclusively on tvtropes. It was in plaintext in a pw dump, suggesting they weren't even hashing at the time.
I contacted tvtropes a few times but got ignored with no announcement.
It's not a banking site, not sure what we should expect. But given compelling evidence of a breach and making no announcement to users seems irresponsible.
Normally a company is valuable because of some kind of value add. Either they generate data nobody else can, or they do something with that data nobody else can. HIBP does neither of those things. It literally searches one column of a database, and tells you if there was a match. You could run HIBP using a total of 1 SQL query, with a fancy template in front. It's essentially just a hobby project of a software dev. who wants something to do on the side. It is infinitely more valuable to Troy as a resume booster than to any company.
To be fair, google is also a (very glorified) text search of publicly available data when you get right down to it. Value is a combination of how useful you are to other people and how popular you are with other people, not how technically complicated you are. HIBP is both useful and popular - hence its valuable.
"Anyone can cobble together a website with some APIs and load in a ton of data breaches, but establishing trust is a whole different story. Trust in the way I run the service is an absolutely pivotal part of HIBP and it's something I built organically rather than setting out to earn it, now here I was with big companies putting a value on it."
I used hibp in a corporate setting, like most others I looked to see if there was a way to check AD and Linux for bad passwords, a few people had some open sourcey things that only work retroactively with manual execution. We evaluated the need and decided on pursuing an unrelated commercial product that does all the password auditing using known bad passwords among a long list of other things. Since the start I wondered why HIBP did not do this. Having existing enterprise customers would have given him a lot more leverage.
We don't advertise the linux/PAM support since we have failed to find a market for it (usually things end up being hooked up onto AD one way or the other)...
Would line up well with Troy Hunt's mention of "It was a change in business model that not only made the deal infeasible from their perspective, but also from mine; some of the most important criteria for the possible suitor were simply no longer there"
But then I saw the date for the pcmag article above (Aug 2019) and I'm not sure now. Seems Symantec's divestiture is too early for this broken deal. Or would it take several months after the sale? I found an article from 2019 Nov 4 about Broadcom closing the Symantec purchase - https://www.crn.com/news/security/done-deal-10-7-billion-bro...
https://techcrunch.com/2020/01/15/mozilla-lays-off-70-as-it-...
Where did the bill come from? Did he get billed by the prospective buying company for not purchasing him?
That realization appears to have been a major factor in the decision not to pursue other buyers.
He could easily leverage this marketing presence to build a security SaaS company, create a huge conference, launch a big consultancy,...
If you value independence then running your own profitable balance sheet is the best thing you can do.
Hell, it wouldn't even be hard to attract talent to the cause at the point he's at.
If it would be so easy it would've been done already.
Maybe easy is the wrong word, but he's definitely well-positioned to reap more reward of what he achieved so far
