CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Millions of Credentials Exposed by PwnedList Flaw

A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.

A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.

PwnedList was launched in 2011 as a service designed to allow users to check if their accounts have been compromised. InfoArmor acquired PwnedList in 2013 and a few months later it started using it to power a new solution called Vendor Security Monitoring, which alerts organizations when one of their third-party vendors suffers a security breach.

Security researcher Bob Hodges had been trying to add the .edu and .com domains he manages to his PwnedList watchlist when he discovered a serious flaw that allowed him to monitor any domain.

Users have to go through an approval process when they want to add a domain or email address to their watchlist. However, a parameter tampering vulnerability allowed Hodges to add any domain that he wanted.

The problem was that in the two-step process of adding a new element to the watchlist, the second step did not take into account the information submitted in the first step, allowing an attacker to submit arbitrary data by tampering with the request.

Hodges notified security blogger Brian Krebs, who tested the issue by adding the domain to his watchlist. In less than 12 hours, Krebs received a downloadable report containing over 100,000 usernames and passwords associated with accounts.

An attacker with an active PwnedList account could have exploited the vulnerability to add the domain of any major company, or domains such as, which would have generated a list of all compromised Gmail accounts. According to the PwnedList website, the service covers over 866 million account credentials from 101,000 leaks.

Krebs had been in touch with InfoArmor while he conducted his tests. The company initially doubted Hodges’ findings, but once the issue was confirmed, the PwnedList website was taken offline and the flaw was patched.

Advertisement. Scroll to continue reading.

“In reference to the PwnedList credentials tool, the data that is in question contains no PII that can result in a compromise due to the fact that this data has already been exposed. The PwnedList Website is a legacy site from the PwnedList acquisition in 2013. Since last year, the free consumer monitoring service has been scheduled to be decommissioned by May 15, 2016. The data that was ‘exposed’ has already been ‘compromised’ – there was no loss of PII or subscriber data,” InfoArmor told SecurityWeek.

“InfoArmor values our PwnedList individual subscribers and will be offering them the opportunity to continue their relationship with InfoArmor by enrolling in our comprehensive identity monitoring product, PrivacyArmor,” the company stated.

Related: 7 Million Impacted by Lifeboat Minecraft Community Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.