Were Your IDs, Passwords Stolen? Check PwnedList

Site lets you check whether your login details are among 5 million compromised data records amassed since June.

Mathew J. Schwartz, Contributor

November 1, 2011

3 Min Read

10 Massive Security Breaches

10 Massive Security Breaches

(click image for larger view)
Slideshow: 10 Massive Security Breaches

Up to 50,000 breached records appear online every week. Do any of them include your usernames and passwords?

Answering that question is the principle aim of free website PwnedList.com, which is billed by its creator as being "a simple one-click service to help the public verify if their accounts have been compromised as a part of a corporate data breach, a malicious piece of software sneaking around on their computers, or any other form of security compromise." A user enters an email address, and the site says whether it's spotted that email address amongst breached records.

As of Monday, the site had amassed five million breached records, roughly 70% of which included email addresses, and 30% that had usernames, that had been "pwned" (hacker-speak for owned or controlled) by online attackers or inadvertently exposed online.

[End users aren't the only people whose lax passwords may be compromising your security. Are Your IT Pros Abusing Admin Passwords?]

PwnedList was created by Alen Puzic, a security intelligence researcher for HP's TippingPoint DVLabs. Via background details posted to the site, it began as a research project "to discover how many compromised accounts can be harvested programatically in just a couple of hours," he said. That's researcher-speak for using scripts to automatically analyze large amounts of data to extract any usernames, passwords, or other sensitive information they contain. In the first experiment, interestingly, Puzic found that he could automatically retrieve 30,000 usernames and passwords after only about two hours of work, for everything from email addresses and social media login details to banking and other financial information.

Based on those findings, Puzic officially launched PwnedList.com in June to help people identify if their personal data may have been dumped online. About 80% of the data is harvested via Puzic's Internet-crawling spiders, which index everything from hacking groups' account dumps to Pastebin and underground hacking forums, to accidental but publicly accessible releases of public information. Meanwhile, about 20% of the information comes from voluntary, anonymous submissions.

"The amount of data out there is ridiculous, and [it's] not just limited to account credentials. There's personal details such as phone numbers, addresses, and even worse, credit card numbers, but I don't store those," Puzic told Kaspersky Lab's Threatpost.

The data that does get retained gets put through a one-way hash to secure it, and all remaining clear text data stored online gets deleted. Besides not storing any passwords found online, Puzic promises that no queries made using the website are stored, and that anyone who distrusts the site's security can use SHA-512 hashes as inputs.

Why use Pwnedlist? Primarily, because the free service--Puzic has said it will remain free for individuals, though businesses may at some point have to pay to use it--helps monitor whether a person's information has surfaced online. "I would recommend to folks to check their emails on pwnedlist on a monthly basis. Then when we add automated alerts they can setup notifications for all of their accounts and we'll send them an email if we ever come [across] an account of theirs," Puzic told Threatpost.

Of course, sites such as Pwnedlist only go so far when it comes to containing the breach of a person's personal information. Another essential security strategy is to choose unique passwords for every different website used, and to never reuse any of those credentials. That way, even if a website does get breached, and attackers distribute, sell, or buy the stolen username and password information, the credentials will only work on the compromised site.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights