When PwnedList Gets Pwned !


Why pwnedlist is not a good idea !

PwnedList Logo

[+] Intro:

PwnedList.com until recently was a free online service providing anyone the ability to check whether his/her email and password were included in major data leaks [2]. The company was scanning the internet for database dumps which were illegally disclosed by hackers.

[+] Why PwnedList is not a good idea:

– Brining collective data from the deep web to the surface of the internet it might not be the best idea. Information that was available only to few. Especially when this information when none can gurantee their safety. Creating a real and approachable target for all black hat hackers out in there.
Single point of failure. If Pwnedlist is infiltrated by criminals. I would like to stress that Pwnedlist keeps hashes of your password while they could simply keep a list of emails only. Meaning that if they get hacked by a sophisticated threat
Security is Not Bulletproof. As with all cases, dedicate enough resources and you new atramck vectors will come up. Hodges (@NanoBob) a security researcher discovered a vulnerability that allowed him to register any domain name. By exploiting it he was able to pull more than 100k apple email addresses and password from the site.

Last but not least. Recently the leaked data from 2012 LinkedIn hack created a buzz and everyone jumped on the site to see if the were hacked.
I was always told you should point the elephant in the room. Did you have an LinkedIn account in 2012?
LinkedIn Security Team applied some precautions to limit the impact of the leak. All user accounts affected were forced to password reset.
Nevertheless it’s good practice to yse different passwords for different services and regularly change your password to

– linkeind. it recently got a buzz around.

[+] The Rise and Fall:

On the 16th of May 2016, InfoArmor decommissioned the popular online service PwnedList.com without giving the reasons behind their decision. The company will continue to provide commercial protection to its customers however that option will no longer available to the public.

PwnedList.com Announcement


[1] https://pwnedlist.com/

[2] “LinkedIn Lost 167 Million Account Credentials in Data Breach”, Forune, https://fortune.com/2016/05/18/linkedin-data-breach-email-password/