2011 has been called the year of the data breach, with hacker groups publishing huge troves of stolen data online almost daily. Now a new site called pwnedlist.com lets users check to see if their email address or username and associated information may have been compromised.
Pwnedlist.com is the creation of Alen Puzic and Jasiel Spelman, two security researchers from DVLabs, a division of HP/TippingPoint. Enter a username or email address into the site’s search box, and it will check to see if the information was found in any of these recent public data dumps.
Puzic said the project stemmed from an effort to harvest mounds of data being leaked or deposited daily to sites like Pastebin and torrent trackers.
“I was trying to harvest as much data as I could, to see how many passwords I could possibly find, and it just happened to be that within two hours, I found about 30,000 usernames and passwords,” Puzic said. “That kind of got me thinking that I could do this every day, and if I could find over one million then maybe I could create a site that would help the everyday user find if they were compromised.”
Pwnedlist.com currently allows users to search through nearly five million emails and usernames that have been dumped online. The site also frequently receives large caches of account data that people directly submit to its database. Puzic said it is growing at a rate of about 40,000 new compromised accounts each week.
Puzic said information contained in these data donations often make it simple to learn which organization lost the information.
“Usually, somewhere in the dump files there’s a readme.txt file or there’s some type of header made by hacker who caused the breach, and there’s an advertisement about who did the hack and which company was compromised,” Puzic said. “Other times it’s really obvious because all of the emails come from the same domain.”
Puzic said Pwnedlist.com doesn’t store the username, email address and password data itself; instead, it records a cryptographic hash of the information and then discards the plaintext data. As a result, a “hit” on any searched email or username only produces a binary “yes” or “no” answer about whether any hashes matching that data were found. It won’t return the associated password, nor does it offer any clues about from where the data was leaked.
Any site that raises awareness about the benefits of strong passwords is a good thing in my book. But deciding what action to take — if any — after finding a hit on your email address at pwnedlist.com. I searched for my email address, krebsonsecurity [at] gmail.com, and the site told me my address was found in the database on June 1, 2011.
Answering the question of, “What now,” pwnedlist.com offers the following advice:
“Don’t panic! Just because your email was found in an account dump we collected does not mean it has been compromised. Your first reaction should be to immediately change any passwords that might be associated with this email account. It is probably a wise idea to go through all your accounts and create new passwords for each of them, just in case. Once one account has been compromised its best to assume all others have been too. Better safe than sorry.”
My email password is ridiculously long and complex, but being the ultra paranoid type, I tend to change it frequently, and have done so several times since it landed in this database.
Length and complexity are two of the most important factors in determining a strong password. It’s also a good idea to periodically change passwords for sensitive accounts, provided you have a decent way to recover the password should you forget or lose it. Check out my Password Primer for a list of tips and resources to help create and protect strong passwords.
Puzic said while his site does not store username or email address submitted to the pwnedlist.com form, for security reasons he does keep a record of Internet addresses of those who use the site: It seems some users have been trying to poison the database or include malware and exploits in data dumps submitted to the site.
“We have attempts about every other week [to plant malware or hack the site], but nobody’s done it yet,” he said. “We’ve had lots of different attempts. Someone tries just about every week.”
The two researchers plan to begin publishing regular updates to their Twitter account (@pwnedlist) when new data dumps are discovered. Longer term, Puzic said he has multiple goals for the site, including a longitudinal study on password security.
“I would love it if this could raise awareness about cybersecurity,” he said. “Also, it could serve as a good measuring stick for the amount of breaches that happen every day. For example, if you see that all of a sudden I have eight million more entries, something big may have happened.”