[ISN] Were Your IDs, Passwords Stolen? Check PwnedList

[InfoSec News <alerts@xxxxxxxxxxxxxxx>]

http://www.informationweek.com/news/security/client/231902027

By Mathew J. Schwartz
InformationWeek
November 01, 2011

Up to 50,000 breached records appear online every week. Do any of them 
include your usernames and passwords?

Answering that question is the principle aim of free website 
PwnedList.com, which is billed by its creator as being "a simple 
one-click service to help the public verify if their accounts have been 
compromised as a part of a corporate data breach, a malicious piece of 
software sneaking around on their computers, or any other form of 
security compromise." A user enters an email address, and the site says 
whether it's spotted that email address amongst breached records.

As of Monday, the site had amassed five million breached records, 
roughly 70% of which included email addresses, and 30% that had 
usernames, that had been "pwned" (hacker-speak for owned or controlled) 
by online attackers or inadvertently exposed online.

PwnedList was created by Alen Puzic, a security intelligence researcher 
for HP's TippingPoint DVLabs. Via background details posted to the site, 
it began as a research project "to discover how many compromised 
accounts can be harvested programatically in just a couple of hours," he 
said. That's researcher-speak for using scripts to automatically analyze 
large amounts of data to extract any usernames, passwords, or other 
sensitive information they contain. In the first experiment, 
interestingly, Puzic found that he could automatically retrieve 30,000 
usernames and passwords after only about two hours of work, for 
everything from email addresses and social media login details to 
banking and other financial information.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn