Database of pwned users gets pwned and then rage quits

May 3, 2016 11:00 GMT  ·  By

PwnedList, a website that tells people when their website has been pwned and their sensitive credentials leaked online, has announced it will shut down on May 16, 2016.

The news comes after journalist Brian Krebs informed the company of a security issue that allowed a malicious attacker to monitor sensitive leaks for any domain, without going through the proper identity validation procedure.

PwnedList featured a flawed domain owner authentication procedure

By default, when a user creates an account on PwnedList and wants to follow when hackers leak access credentials online from his website (domain.com), he simply goes to his dashboard and adds domain.com as a site to monitor.

To validate his identity, PwnedList sends an email to the domain's owner, which the user needs to validate by clicking a link that opens a confirmation page.

Security researcher Bob Hodges told Brian Krebs that the confirmation page is not tied in any way to the previous phase of the validation process, meaning that by altering a few parameters in the link's URL, an attacker could validate himself as the owner of any domain.

Mr. Krebs performed a test to validate Mr. Hodges' findings and soon he was receiving email alerts for any credentials exposed online for the Apple.com domain, which he obviously did not own.

Attackers could use PwnedList to track any website on the Internet

An attacker, using this vulnerability, could track leaked credentials for any website on the Internet, as well as receive reports for previously compromised domains. PwnedList claims to hold data on 866,434,472 compromised accounts from 101,047 leaks.

Mr. Krebs demonstrated the vulnerability to PwnedList founder Alen Puzic, now with InfoArmor, the company that bought the service. Following a successful demonstration, the service was temporarily brought down yesterday, and today features the following message, announcing the service's shutdown.

  Thank you for being a subscriber and letting us help alert you of any risks related to your personal credentials. PwnedList launched in 2012 and quickly become the leader in open-source compromised data aggregation. In 2013 PwnedList was acquired by InfoArmor, Inc. a provider of enterprise based services. As part of the transition, the PwnedList Website has been scheduled for decommission on May 16, 2016. If you are interested in obtaining our commercial identity protection, please go to infoarmor.com for more information. It has been our pleasure to help you reduce your risk from compromised credentials.  

Snapshot of a PwnedList report for Apple leaked credentials received by reporter Brian Krebs
Snapshot of a PwnedList report for Apple leaked credentials received by reporter Brian Krebs

Photo Gallery (2 Images)

PwnedList decides to shut down
Snapshot of a PwnedList report for Apple leaked credentials received by reporter Brian Krebs
Open gallery