In March, we had a great interview with Steve Thomas, the co-founder of PwnedList, a service that’s designed to keep companies and individuals informed at all times regarding the safety of their online accounts.
Since then, PwnedList has evolved a great deal and, recently, it completed its first year of data leak harvesting with over 23 million credentials. With this milestone, the company also introduced additional free services and enhanced some if its existing ones.
To learn more, we’ve contacted Steve once again and had yet another interesting interview.
Softpedia: Your company has come a long way since you've first started. How was the trip? Please detail the milestone you have reached.
Steve Thomas: Over the past year we have grown our company from a research project to a service that is alerting 100s of thousands of people if and when their credentials are stolen.
In that time we have harvested over 23 million stolen credentials, with Gamigo recently causing a large increase in that number, and had half a million users stop by our website to check their credentials.
We have learned quite a bit about how data leaks are released and the type of daily monitoring that is needed to make sure that we can get to leaks before they disappear.
Along the way, we have found many likeminded people that truly understand the threat that stolen credentials represent.
While we have also found people that put all their faith in strong authentication, I believe the data breaches of Sony, eHarmony, AAPT, Yahoo!, Gamigo, etc. are serving as lessons, showing how vulnerable all businesses are to data breaches.
Softpedia: Back in March, we learned that the data collection process has been automated. How is that working out? Is the automation as effective as expected?
Steve Thomas: To get adequate coverage of stolen credentials, you have to have some component of automated harvesting. Our automation has been helpful, but stolen credentials move and leak behavior changes, so you always end up feeling like you need a lot more automation for new sources.
We still rely on our security professionals to go out and hunt down data leaks every day. The goal will always be to automate as much as possible, but I don't think we will ever stop needing skilled professionals that are tied into the hacker community to stay up to date on what big leaks are out there.
Softpedia: What about the alerting service? Can you share an approximate number of users that are relying on the service?
Steve Thomas: We have several large businesses as well as a long list of individual accounts that add up to 100s of thousands of people that rely on our credential monitoring.
With our recent change to offering a free option to individuals, we have seen our numbers grow significantly and we are looking at ways that we can help speed up the adoption of our service.
Softpedia: You have started offering free security monitoring for individuals. Please provide some details regarding the new service.
Steve Thomas: We want to help protect as many people's online identities and credentials as possible. We have made a free version of our credential monitoring and alerting service.
Individuals that sign up will get daily monitoring and alerting, as well as detailed reports about where we detected their credentials. We will also be working with partners to provide additional security services to protect online identities and manage passwords.
Softpedia: What are the improvements you've made to the corporate services?
Steve Thomas: We have learned that security professionals need much more detail about which employees have been included in data leaks and what information has been stolen to properly respond to the threat.
We have changed our corporate services to include all of the surrounding context when alerting businesses to a vulnerable account.
We have also made it our policy to write up a summary report about each data leak, detailing what type of service was breached, what information was stolen, whether passwords were in plaintext or hashed, and where the information is/was hosted.
Softpedia: Why is it important for users to know the surrounding context of the stolen credentials?
Steve Thomas: When a security professional is creating a response to stolen employee credentials, there are a lot of factors that can change the severity of the response.
If an employee had his/her credentials stolen in plaintext from a work related service, then that might represent a more significant threat than a salted and hashed password from an online gaming service.
Also details such as IP addresses, usernames, and whether credit cards or social security numbers were included can indicate what type of attacks to expect.
Since we don't know exactly what information is important to each customer, we want to provide them with all the information we can gather, as quickly as possible.
Softpedia: What are PwnedList's plans for the future?
Steve Thomas: We don't see any reason why we couldn't provide credential monitoring for at least a million individuals by this time next year. We are working on ways to help people understand the threat they face and get the word out about our free service.
We are planning on enhancing our services to allow large service providers to use our data to protect their subscribers. We have found that responsible businesses are taking a more proactive approach to prevent accounts from being hijacked and we want to help with this effort as much as possible.
We are also looking at businesses that we could partner with to provide a more well-rounded security offering to our customers.
While PwnedList is focused on alerting customers to vulnerable credentials, there are some great services out there that are working towards credential and identity management that would make for a great follow up action.
Softpedia: Is there anything else you want to add?
Steve Thomas: We are excited by the growth we have seen in the last year and are looking forward to what is to come this next year.
We don't see any slowdown in the frequency and size of data leaks and we hope to provide a reliable source of information to individuals and businesses that are concerned about how the data leaks impact them.