PwnedList Gets Pwned, shutting down service in few days

PwnedList is a tool that allows an average person to check if their accounts have been compromised — The company has decided to shut down its service on 16th May 2016.

PwnedList, an online service which informs users whether their login credentials have been hacked or not has announced its shutdown on 16th May 2016 after a security researcher found a security flaw leading to data theft online. The researcher behind the discovery is Brian Krebs who notified the company that the data stored on their server can be stolen and monitored without going through any security check.

The PwnedList service was launched in 2011 and acquired by the InfoArmor firm in 2013, the company used it to offer a new monitoring service to its business clients. However, now when users visit the site a popup message informs that the site will be shut down in next few days.

So what was the flaw and what happened?

Users who want to monitor their site can simply add their website name (domain link) on the PwnedList’s dashboard and to confirm their identity PwnedList has a system of verifying users involving clicking on a confirmation link to finalize the process and users can check if someone has leaked data from their domain. However, a security researcher Bob Hodges found out things are are not as they seem, in fact, the security flaw allowed attackers to validate themselves as the owner of any domain.

Hodges shared his findings with Brian Krebs who then sent a test email to Hodges and within no time, he started receiving emails alerting them of leaked login credentials for domain which of course is owned by the tech giant Apple Inc. NOT the security researchers.

“Last week, I learned about a vulnerability that exposed all 866 million account credentials harvested by, a service designed to help companies track public password breaches that may create security problems for their users.” wrote Krebs in his blog post.

“Less than 12 hours after InfoArmor revived my dormant account, I received an automated email alert from the Pwnedlist telling me I had new results for In fact, the report I was then able to download included more than 100,000 usernames and passwords for accounts ending in The data was available in plain text, and downloadable as a spreadsheet.”

Using these vulnerabilities, hackers or cyber criminals could monitor and receive reports on almost every high profile website in the world. PwnedList once revealed it holds the data of about 866,434,472 hacked accounts and 101,047 leaks. However, now that the company is aware of the problem it has decided to shut down its service once and for all.

Related Posts