Free Service Lets You See If Your Email Address Has Been Compromised
By John P. Mello Jr.
Has your email or username been snatched by hackers and posted to the Internet? You can find the answer to that question at a new online service called Pwnedlist.
To see if your email address or username is in the service’s nearly five million name database of pilfered personal data, you simply type in your information, click check, and Pwnedlist will deliver the good or bad news to you.
If the news is good–that is, your information is not in the Pwnedlist database–you can sigh with relief. If it’s bad, Pwnedlist advises you not to panic. Appearing in the database doesn’t necessarily mean that someone has tried to break into your account. Nevertheless, it’s a good a idea to change the passwords for the account, as well as any others you have, just to be safe.
How Widespread Is the Problem?
The service is the idea of two security experts, Alen Puzic and Jasiel Spelman, who work at DVLabs, which is part of HP/TippingPoint. It occurred to them when they were experimenting with automating the harvesting of compromised information from cyberspace. In just two hours, they’d garnered the complete logins for nearly 30,000 accounts.
“The truly scary part, however, was the quality of data we were able to collect in such a short amount of time,” they wrote at the Pwnedlist website. “The accounts we were able to retrieve consisted of email services, social media sites, merchants, and even financial institutions.”
Those revelations prompted the pair to set up Pwnedlist, which is designed to be secure from the ground up. Only email addresses and user names are harvested by Pwnedlist. Everything else in an information dump is discarded. Before information is put into the data base, it’s put through a cryptographic process called a “one-way hash” and the original text is destroyed. In addition, there is no storage of any information you type into site.
However, the service does store the IP addresses of its visitors as a security precaution. In an interview with security writer Brian Krebs, Puzic explained that every week or two someone tries to hack into the site or plant malware there.
In addition to the Pwnedlist site, the security duo has a Twitter account where they post the sources of the latest information added to the Pwnedlist database.
Among security experts, 2011 has already been anointed “Year of the Data Breach.” Millions of people have had their email addresses, user names, passwords and more clipped by crackers breaking into the data stores of companies like Sony, Epsilon, Google, Citigroup and Sega. What’s more many more less publicized breaches occur daily. So Pwnedlist couldn’t be coming online at a better time.