With 12 Million Hacked Users’ Data, Pwned List Launches As A Breach Monitoring Service

Andy Greenberg, Forbes Staff

Covering the worlds of data security, privacy and hacker culture.

Having your usernames and passwords stolen and sprayed across the Web is never fun, as millions have discovered after hackers breach a company where they work or where they’ve registered an account. But worse yet is to have that personal information hung out for all to see and not even know it.

Nine months ago, Pwned List was created to answer a simple question for users: Is your account among the millions whose credentials have been spilled onto the web? Visit PwnedList.com, (whose name comes from the verb “to pwn,” slang for hacking someone or something) type in your email address or username, and the site will check it against a database that has now grown to 12 million compromised credentials it’s collected from crawling public sites where hackers post stolen data. For each of those 12 million usernames or email addresses, Pwned List has confirmed that a password was also published online.

On Monday, Pwned List announced that it aims to transform that post-breach notification service into a business. While anyone can still visit the site for free and check their email address or username, users can also pay a dollar a month for a service that emails them an automatic alert if their account data has been dumped by hackers on the Web. And perhaps more significantly for the site’s revenue, it will offer the same automated breach notification service to corporate customers, scouring the Web for any email linked with a company’s collection of domains for a five-figure annual fee.

“We may not catch absolutely everything, but we can catch the vast majority of credentials stolen and shared by hackers. We’ll notify a company the same day that we identify a new credential from its domain,” says Steve Thomas, the company’s chief executive. “Our goal is to be our customers’ eyes and ears, and take a chunk out of their risk of data theft.”

Aside from hackers’ favorite depositories for publishing stolen information like Pastebin and the Pirate Bay, Thomas says Pwned List has amassed more than 200 sources of hacked information that it constantly scours for updates. And it’s also created an upload portal so that volunteers (or the hackers who have themselves stolen user data) can upload stolen information or point the company toward public posts of hacked material. “Maybe you stumbled upon some hacker booty or have a little trophy of your own?,” the site reads. “There are many secure ways to share your data with us, without exposing your identity.”

With attacks the hacktivist movement Anonymous, its splinter groups and other hacker factions on the rise over the last year, companies may be eager for Pwned List’s type of breach alert system. A look at the the site’s Twitter feed, which seems to have gone silent at the end of last year, shows that the information it pulled into its database includes the fallout from major breaches like Anonymous’s hack of the private intelligence firm Stratfor hack, a breach that spilled 860,000 subscribers’ information onto the Web.  But it also includes dozens of lesser-known hacks by individuals with handles like Pirax and ThEhAcKeR12.

PwnedList isn’t the only service that has offered to check users’ information against databases of stolen accounts. But it realized early that many users aren’t comfortable typing their email into a random box on an unknown website. So it also allows users to enter a cryptographic hash of their password–a string of characters that results from a mathematic function that can’t be reversed. Comparing those hashes instead of a username or email address itself helped to assure any paranoid users that Pwned List wasn’t a phishing site scooping up gullible users’ credentials. Over the last year about 300,000 people have used the service with about 50,000 new visitors each month.

Thomas says the just-launched startup is already near deals with a handful of corporate customers to monitor their domains. In the future, it may also offer an API that allows firms to check leaked usernames from other domains, too, a trick that would avoid security breaches resulting from victims who use the same password or other credentials across multiple sites.

“So much data theft is the casual hacker, people running exploitation tools, using these millions of stolen credentials available to anyone,” says Thomas. “We want to give people a way to get ahead of the curve, to alert them weeks or months before they can be hit personally.”

Share

No comments yet.

Leave a Reply

Twitter widget by Rimon Habib - BuddyPress Expert Developer