Softpedia Exclusive Interview: Steve Thomas, Co-Founder of PwnedList

Great features were added to the site that knows if your accounts have been compromised

Back in November 2011, we revealed the inauguration of PwnedList, a great service which allows users to check if their accounts have been stolen by cybercriminals.

Since then, some considerable improvements have been made to the site, including a daily monitoring service which warns individuals and companies in case their credentials end up being published online.

Steve Thomas, the co-founder of PwnedList, was kind enough to offer us an interview in which he shared some interesting things about the monitoring service, the expansion of their team, and the new automated data collection process.

Take a look at the interview and then head over to to check if your credentials are safe. Also, since data breaches occur each day, it’s recommended that Internet users regularly visit the site.

Softpedia: When PwnedList was launched, only a handful of people was operating the site. How many members does the new team have?

Steve Thomas: Pwnedlist is still operated by a handful of security researchers. Alen and I are still working heavily on Pwnedlist, but we have a few amazingly talented security researchers who contribute to the project in their spare time.

They are focused on finding and harvesting increasingly harder to find data leaks.

Softpedia: We understand that the collection process has been automated. Can you please detail that?

Steve Thomas: We now have over 200 sources that we are harvesting stolen credentials from. When we find a source like Pastebin, we figure out if there is any reliable way we can identify stolen credentials as they get posted and we automated the collection and analysis process.

So probably about half of our harvesting work is focused on automating the sources that we already have, and the other half of our harvesting work is focused on finding new sources.

We also put a big focus on finding hard to find data leaks that hit the news, since a lot of companies and individuals are discussion the leak and want to know if they have been impacted by it.

Softpedia: The new daily monitoring and alerting service for stolen credentials is a great step forward. How does the alerting mechanism work? Are customers informed via email, SMS or other means of communication?

Steve Thomas: Thanks! We worked really hard getting the monitoring and alerting service up and running and have had great feedback from individuals and corporate customers on the value of the service.

For individuals, a person can sign up and put their ten most common e-mail addresses on their watch list. We run every person’s watch list against harvested stolen credentials every day and will e-mail them as soon as any of the credentials are detected.

We will notify them of when their account was discovered and if possible which leak the account was discovered in. We also have a dashboard built into their account so that they can see their most recent account alerts.

We also plan to notify customers specifically after we harvest a major leak if they were included in that leak, so they can have the peace of mind and be able to say “I was not included in the CSDN/Gawker/SIDEX/ETC leak”.

For corporate customers, a company can sign up and we will put their entire domain on their watch list (or several domains for larger companies).

Most corporate customers have dozens to hundreds of already stolen credentials that are being freely shared between hackers for their domain, so as soon as a corporate customer signs up, they get a large list of credentials that are vulnerable.

We generate daily reports for corporate customers so that they can take all of their vulnerable accounts and make sure those credentials are changed, which can help corporate customers remove vulnerabilities hours, days, even weeks before those vulnerabilities are attacked.

We plan on building an API so that corporate customers can do some really smart security automation in the future.

Softpedia: Last year, when PwnedList was founded, Alen Puzic said that it would always remain free. Has this changed with the introduction of the new service?

Steve Thomas: We plan to keep the self lookup service always free. Our mission is still to provide an easy way for the average person to answer the question “Have I been pwned?” Into the foreseeable future, anyone can go to and type in their credentials and get an up to date report on if and when their credentials have been stolen for free.

Our new service is our first response to a large amount of individual and corporate customer feedback about the free service. People realize that credentials are stolen every day and instead of checking every day every account at a domain, they want us to do that checking for them and just notify them when they need to take action.

For just a dollar a month for individuals, people are seeing this as a pretty cheap way to deal with a large threat to financial, identity, and data theft.

Softpedia: Any plans for the future? Maybe some new services users should look forward to.

Steve Thomas: Our vision is to be the online security eyes and ears for our customers. We are tossing some very interesting ideas around about how to better monitor all types of data that is stolen and shared between hackers.

For corporate customers, we are looking at ways that we can help notify them when their most sensitive types of data (customer lists, financial records, trade secrets, product roadmaps) get leaked.

For now though, we have dealing with stolen credentials as our number one priority.

Softpedia: What about the credit card and phone number collection Alen was talking about some time ago?

Steve Thomas: The data is certainly out there to harvest. We just need to figure out what is the most valuable, impactful type of data that we should harvest next. We haven’t written anything in stone in terms of what we will harvest next.

Softpedia: Can you approximate the number of individuals that have utilized the site? Did you notice an increase after the latest breaches that resulted in massive data leaks?

Steve Thomas: We have had over 300,000 people use the site in the last five months and we have on average 50,000 people use the site each month. There have been a large number of very public data leaks in the last five months and we believe that is driving a large amount of interest in our service.

We are also expecting 2012 to be a blockbuster year for data leaks. Corporate data theft alone is a $10 Billion dollar industry and the amount of damage it does to companies is many times more than that. When a data theft like the PSN hack can cost Sony close to $2 Billion to clean up, there are a lot of people very worried about if they will be next.

Softpedia: What can you tell us about your site’s security? All that data could represent a goldmine if it got into the wrong hands. Have you taken the appropriate measures to make sure no incidents will occur?

Steve Thomas: Absolutely, security is top of mind for us. Any site can be a good target for hackers given the right circumstances. We don't feel the data we store is of any value to hackers. We don’t keep any of the stolen credential passwords, so our database of “Pwned” accounts is worthless to a hacker from a credential point of view.

That being said, the way our database system is architectured it would be impossible for anyone to dump data from it. In our key-value pair database data can only be extracted if you know the key, in this case the hash of the email address. An attacker wanting to extract data from our database would have to know the hashes of all data stored in it.

This, in turn, means they would also have to know the data those hashes are derived from, since they're one-way hashes. This defeats the purpose of a database dump since you have to know the data you are extracting in order to successfully extract it!

Softpedia: If there is anything else you would like to add, please feel free to do so.

Steve Thomas: Each year billions of dollars are spent on security compliance and despite these measures, no significant slow down of data theft has occurred. Our customers have realized that being ‘compliant’ is not the same as being ‘secure’.

Since the vast majority of data theft is opportunistic, PwnedList is looking to simply take away the opportunity that stolen credentials represents.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.

Hot right now  ·  Latest news