Skip the navigation

Free service can tell if your email address has been compromised

The Pwnedlist database contains nearly 5 million entries for pilfered personal data.

By John P. Mello Jr.
November 4, 2011 02:41 PM ET

PC World - Has your email or username been snatched by hackers and posted to the Internet? You can find the answer to that question at a new online service called Pwnedlist.

To see if your email address or username is in the service's nearly five million name database of pilfered personal data, you simply type in your information, click check, and Pwnedlist will deliver the good or bad news to you.

If the news is good--that is, your information is not in the Pwnedlist database--you can sigh with relief. If it's bad, Pwnedlist advises you not to panic. Appearing in the database doesn't necessarily mean that someone has tried to break into your account. Nevertheless, it's a good a idea to change the passwords for the account, as well as any others you have, just to be safe.

How Widespread Is the Problem?

The service is the idea of two security experts, Alen Puzic and Jasiel Spelman, who work at DVLabs, which is part of HP/TippingPoint. It occurred to them when they were experimenting with automating the harvesting of compromised information from cyberspace. In just two hours, they'd garnered the complete logins for nearly 30,000 accounts.

"The truly scary part, however, was the quality of data we were able to collect in such a short amount of time," they wrote at the Pwnedlist website. "The accounts we were able to retrieve consisted of email services, social media sites, merchants, and even financial institutions."

Those revelations prompted the pair to set up Pwnedlist, which is designed to be secure from the ground up. Only email addresses and user names are harvested by Pwnedlist. Everything else in an information dump is discarded. Before information is put into the database, it's put through a cryptographic process called a "one-way hash" and the original text is destroyed. In addition, there is no storage of any information you type into site.

However, the service does store the IP addresses of its visitors as a security precaution. In an interview with security writer Brian Krebs, Puzic explained that every week or two someone tries to hack into the site or plant malware there.

In addition to the Pwnedlist site, the security duo has a Twitter account where they post the sources of the latest information added to the Pwnedlist database.

Among security experts, 2011 has already been anointed "Year of the Data Breach." Millions of people have had their email addresses, user names, passwords and more clipped by crackers breaking into the data stores of companies like Sony, Epsilon, Google, Citigroup and Sega. What's more many more less publicized breaches occur daily. So Pwnedlist couldn't be coming online at a better time.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

Originally published on www.pcworld.com. Click here to read the original story.
Reprinted with permission from PCWorld.com. Story copyright 2012 PC World Communications. All rights reserved.
Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!