Security Experts:

Connect with us

Hi, what are you looking for?



Millions of Credentials Exposed by PwnedList Flaw

A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.

A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.

PwnedList was launched in 2011 as a service designed to allow users to check if their accounts have been compromised. InfoArmor acquired PwnedList in 2013 and a few months later it started using it to power a new solution called Vendor Security Monitoring, which alerts organizations when one of their third-party vendors suffers a security breach.

Security researcher Bob Hodges had been trying to add the .edu and .com domains he manages to his PwnedList watchlist when he discovered a serious flaw that allowed him to monitor any domain.

Users have to go through an approval process when they want to add a domain or email address to their watchlist. However, a parameter tampering vulnerability allowed Hodges to add any domain that he wanted.

The problem was that in the two-step process of adding a new element to the watchlist, the second step did not take into account the information submitted in the first step, allowing an attacker to submit arbitrary data by tampering with the request.

Hodges notified security blogger Brian Krebs, who tested the issue by adding the domain to his watchlist. In less than 12 hours, Krebs received a downloadable report containing over 100,000 usernames and passwords associated with accounts.

An attacker with an active PwnedList account could have exploited the vulnerability to add the domain of any major company, or domains such as, which would have generated a list of all compromised Gmail accounts. According to the PwnedList website, the service covers over 866 million account credentials from 101,000 leaks.

Krebs had been in touch with InfoArmor while he conducted his tests. The company initially doubted Hodges’ findings, but once the issue was confirmed, the PwnedList website was taken offline and the flaw was patched.

“In reference to the PwnedList credentials tool, the data that is in question contains no PII that can result in a compromise due to the fact that this data has already been exposed. The PwnedList Website is a legacy site from the PwnedList acquisition in 2013. Since last year, the free consumer monitoring service has been scheduled to be decommissioned by May 15, 2016. The data that was ‘exposed’ has already been ‘compromised’ – there was no loss of PII or subscriber data,” InfoArmor told SecurityWeek.

“InfoArmor values our PwnedList individual subscribers and will be offering them the opportunity to continue their relationship with InfoArmor by enrolling in our comprehensive identity monitoring product, PrivacyArmor,” the company stated.

Related: 7 Million Impacted by Lifeboat Minecraft Community Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.