Have you been pwned? Now you can check

David Heath
Monday, 07 November 2011 13:32

Business IT - Security

With so many breaches being reported on a better-than-daily basis, it is becoming impossible to know whether the 'lads' have our authentication details.  Here's a way to check.

Alen Puzic and Jasiel Spelman, security researchers at the DVlabs division of HP's TippingPoint have created a web site to allow anyone to check their current status in the reams of stolen identities.

As the researchers told Brian Krebs, it is generally easy to scan the dumped information on Pastebin to identify where the hacked data came from, but it is much harder for the average 'joe' to constantly scan the dumps for their own details.  Thus the need for the PwnedList.

Puzic and Spelman have added every 'stolen' identity they could find and dumped them into a single database.  HOWEVER, there is no raw data.  Instead, every entry has been cryptographically hashed.  When a visitor asks if their own details are present, the submitted data is also hashed and the server searches for a match.

The PwnedList contains no identifiable information; after hashing the original data was discarded and there is no feasible way to convert the stored hashes back to plain text.

iTWire recommends all readers visit the site and search for all their email addresses and usernames.  This author found no email addresses matched, but a commonly used username triggered a hit.

PwnedList will not reveal which website was hacked to reveal the credentials, but it doesn't matter because you don't reuse passwords on multiple sites, do you?

And if you do get a hit, you should consider changing the password on every site that knows that username or email address.