Mr Grzelak's site is called 'Should I change my password?' and claims not to have anyone's password listed on the site, nor to store anyone's email address, but simply exists as a mechanism to let people see if their email address (and whatever password was used for that address on blogs or other sites) is known to the various hacker collectives.
I tried typing in one of my addresses, which came up, and another, which did not, and looking at the sources Mr Grzelak used, I was reminded that one of my email addresses was breached in the Gawker attack.
Thankfully I didn't use any of my important passwords when I signed up to Gawker, but as many, many people seem to use the exact same password for all their online activities, Mr Grzelak's site is yet another ear-piercing wake-up call to everyone to never use the same password twice.
In the 'About' section of Mr Grzelak's site, he notes that: 'LulzSec and other groups have been hacking an assortment of prominent organisations. For good or for bad, they have also been publishing their databases, which typically include emails and passwords. Given that most people re-use their passwords, this site allows the average person to check if their password(s) may have been compromised and need to be changed.'
As Mr Gzelak reminds us all: 'Note that no passwords are stored in this database', along with another 'privacy note' stating: 'The email you enter will NOT be stored, transmitted, or otherwise used beyond this check by me or this website.'
He also lists his Twitter address @dagrz for anyone that might have 'questions or concerns', where he also lists his Facebook page for people to post 'war stories and suggestions'.
In Mr Grzelak's 'FAQ' section, he poses some questions and answers. In answer to the question 'Is this a phishing site and why should I trust it?', the answer is listed as: 'This is not a phishing site and has been vetted by a number of trustworthy individuals and organisations (see media). As the author I am also providing my contact details so you can contact me and make the decision for yourself.'
More details on page two, please read on!
The Q&A on Mr Grzelak's site continues.
The next question is: 'My email came back clean, does that mean my passwords weren't stolen?'.
The answer is: 'No. Unfortunately it only means that they weren't stolen and published as part of high profile breaches listed here. If you don't already do so, it's good practice to change passwords regularly just in case.'
Following that is the question: 'Do you store or re-use email addresses?', with the answer being 'Absolutely not. The email is used in a single database query.'
In answer to the question 'What data is stored?', we're told that: 'The following information is kept about any email published by a hacker group: email, date of last compromise, number of times compromised.'
Next up is the question: 'Can I get the compromised password(s)?', with the answer being: 'Not from this website. You can use the last compromised date to cross-reference against the source and download the relevant database yourself. No passwords are stored in this system.'
In answer to: 'Can't hackers use the site to farm email addresses for spam?', we're told: 'They can, however the complete data is freely available via torrents and other websites, and includes other information such as full names and passwords. Using this site would just be inefficient as emails would have to be brute forced and retrieved one by one.'
For those wondering: 'Isn't the site a big target for hackers?', we learn that: 'Maybe for the "lulz" or notoriety but not for the data. The complete datasets are available elsewhere and hopefully potential hackers will see the good in having a site like this available to the general public.'
For those wishing to know 'How often do you update the database?', the answer is: 'Whenever a new password database is made public. If you know of a new database that has been published and isn't listed here, please let me know on Twitter.'
The last question is 'How big is the database?', and the last answer is: 'As of June 19th 2011 there are just under 800,000 records in the database but the intention is to keep updating in perpetuity.'
So'¦ please change your passwords, and never use the same password twice!