A Michigan school district network engineer discovered a security vulnerability affecting the pwnedlist.com service that exposed 866 million account credentials.
The pwnedlist.com service shares publicly leaked username and password information with companies. The service aims to help companies alert their users when user password information has been breached. “PwnedList actively protects you by continually monitoring sites that host stolen credentials and other security data,” the website states. “You can check your online accounts and know with virtual certainty whether they've been compromised at any time.”
Bob Hodges, a network engineer at Livingston Educational Service Agency, had used the service previously to track his personal email accounts, and attempted to PwnedList to create a report for domains that he legitimately manages as a domain administrator.
However, he found that he was unable to add the domains. “I just changed the information in the parameters,” Hodges told SCMagazine.com. This allowed him to add the domains, but he found that the system did not validate his legitimate administrative control of the domains.
The parameter tampering exploit, reported by information security blogger Brian Krebs, allowed users to receive updates of any email address. Krebs took the discovery further and he was able to add the top 20 Fortune 500 companies.
The pwnedlist.com service was acquired by security monitoring company InfoArmor in 2013 and will be shut down on May 16, according to an announcement on the site.