[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Were Your IDs, Passwords Stolen? Check PwnedList
By Mathew J. Schwartz
November 01, 2011
Up to 50,000 breached records appear online every week. Do any of them
include your usernames and passwords?
Answering that question is the principle aim of free website
PwnedList.com, which is billed by its creator as being "a simple
one-click service to help the public verify if their accounts have been
compromised as a part of a corporate data breach, a malicious piece of
software sneaking around on their computers, or any other form of
security compromise." A user enters an email address, and the site says
whether it's spotted that email address amongst breached records.
As of Monday, the site had amassed five million breached records,
roughly 70% of which included email addresses, and 30% that had
usernames, that had been "pwned" (hacker-speak for owned or controlled)
by online attackers or inadvertently exposed online.
PwnedList was created by Alen Puzic, a security intelligence researcher
for HP's TippingPoint DVLabs. Via background details posted to the site,
it began as a research project "to discover how many compromised
accounts can be harvested programatically in just a couple of hours," he
said. That's researcher-speak for using scripts to automatically analyze
large amounts of data to extract any usernames, passwords, or other
sensitive information they contain. In the first experiment,
interestingly, Puzic found that he could automatically retrieve 30,000
usernames and passwords after only about two hours of work, for
everything from email addresses and social media login details to
banking and other financial information.
Subscribe to InfoSec News - www.infosecnews.org