Pwnedlist, the Web site that compiles information on victims of data breaches, is going commercial with a plan to charge individuals for daily monitoring of their email addresses against a growing database of more-than 12 million email-login credentials.
We reported on Pwnedlist.com a few months back after the site launched with an easy interface where users could go and check if their email addresses and corresponding passwords had been stolen and published online. Now founder Steve Thomas says the service is going commercial. Users will still be able to search their email addresses against Pwnedlist database for free, but they can also sign up for notifications that will alert them if any of their email accounts and passwords is exposed.
In an interview with Threatpost, Pwnedlist co-founder, Steve Thomas, said that demand from the public for his service prompted him to turn a Summer research project into a full fledged company. Thomas claimed that he didn’t really see the market-potential of the service. But once the site started getting a lot of media-attention in October and November of 2011, new users began reaching out to him, asking if Pwnedlist could run scripts and monitor their personal accounts or even their entire company’s accounts.
“That’s when we starting thinking that we had something that had a much larger market need and vision than what we started with,’ Thomas said. “So we got a few other security researchers involved to beef up our harvesting ability, greatly increase the number of leaks that we had in our database, and I spent quite a bit of time talking with individuals and companies to see if they would find value in this type of monitoring and alerting service.”
The answer, Thomas claims, was a pretty clear ‘yes.’
Pwnedlist currently has a database of more than 12 million login credentials gathered from 200 or so sources. Among the sources that Pwnedlist has used to populate its database are the Gawker, Sony, CSDN, Stratfor and various other well-known and not-so-well-known hacks.
In order to qualify, the leak must include both the email user name and the password. But Thomas said that kind of information is increasingly seeping into the public domain.
“We really expect 2012 to be a blockbuster year for leaks and data theft, unfortunately,” Thomas said.
Thomas and the rest at Pwnedlist believe that the number of credentials in their database is likely to double in the not-too-distant future.
So what do you get for a dollar a month? Quite a lot, actually. Users can list up to ten email addresses. Pwnedlist will run all those addresses against harvested stolen credentials every day, emailing users as soon as their address is detected.
In addition to that, Pwnedlist will notify users when and where their account was discovered, and if possible, in what breach their credentials were exposed.
“Sometimes we don’t get a very clear source for where the leak came from,” Thomas said. “Other times, we get leaks that we never heard hit the news… We also plan to notify customers specifically after we harvest a major leak if they were included in that leak, so they can have the peace of mind and be able to say ‘I was not included in the CSDN/Gawker/SIDEX/ETC leak.’”
Pwnedlist only stores the usernames in their database, not the more sensitive passwords, so Thomas isn’t concerned about any legal troubles moving forward.
Thomas says his business is growing quickly and that he was talking with a number of companies that want their entire domains monitored as well. The increasing popularity of mobile offices has companies worried about the follow-on effects of data breaches.
“It’s not your firewall or VPN that is the problem, it’s the PCAnywhere your VP of Sales installed on his laptop so that he could work from home. That’s the problem,” Thomas said, “and it’s a problem because the same VP of Sales uses one password for every website he goes to.”