378 million hacked email accounts — any of them yours?

PwnedList.com is one way to see if any of your email accounts have been hacked. You can use the site to instantly find out if an email address has been found on commonly circulating lists of stolen accounts and passwords.

As of Tuesday, February 3, the PwnedList database, having grown exponentially since beginning in 2011, had entries for 378,692,047 compromised accounts, including 857 million email addresses and well over 1.5 billion passwords.

The database had no record of my regularly-used email accounts but turned up one web-based email account that I haven’t used for at least four years — I immediately deactivated the account.

On the final screen of the web mail service’s deactivation process there was a request to “please take a moment to tell us why you’re leaving” but I looked in vain for a “my account was hacked” in the pull-down value list of predefined answers.

By the way, PwnedList didn’t have a record of my Yahoo email account being compromised which frankly amazed me.

At least once a year it seems that poor old Yahoo has to admit that some number of its several hundred million email accounts have been compromised, going back to before 2008 when Sarah Palin’s Ymail account was famously hacked.

Who cares about hacked accounts and digital attacks?

The second question on PwnedList’s FAQ asks if the site is phishing for user data.

“No”, answers PwnedList, it’s not.

(Protip: To find out if a website is up to no good, just ask them!)

Actually, you have to give the site a fair bit of info if you want to receive automatic notifications if and when any of your email accounts are compromised but it’s not dishonest if they ask is it?

PwnedList is advertising in fact.

The site is a free public service provided by InfoArmor, an Internet security company. InfoArmor is using the site to raise its profile among potential enterprise customers.

The fact that PwnedList can be useful to ordinary users like you or I helps underscore InfoArmor’s practical prowess.

I know of at least a handful of companies involved in data security that have adopted this “advertising as service” approach to promotion.

Hacking their way through the Internet underworld

InfoArmor is just one of several companies that have attached their name to searchable databases of hacked email accounts. By stressing that the data is mined in near real-time from under the noses of the very people who compromised the accounts, these companies are saying they know their way around the darknet and no hacker is the boss of them!

• HaveIBeenPwned.com is described by a Forbes article as a pet project of Troy Hunt, a security developer and Microsoft MVP.
• BreachAlarm.com allows you to enter your email address and check “anonymously” if your password has been posted online. Like PwnedList, you can signup to be automatically notified if and when BreachAlarm detects that your email account has been hacked. The service is provided by the Avalanche Technology Group, a provider of online backup.
• LastPass, an online password vault provider, has a “test my email” page relating to a 2013 hack of the Adobe network that saw email and payment data relating to an estimated 150 million Adobe customers trafficked on the web.

Special mention should be made of the Finnish cybersecurity company Codenomicon which last year could be said to have popularized CVE-2014-0160, a major security bug in OpenSSL, by giving it a catchy name: Heartbleed, an accompanying logo () and an official website.

The undeniable eye-candy of cyberwar

Norse’s IPViking map, one of many real-time visualizations of global DDOS activity.

Several data security companies are showcasing their prowess by producing eye-popping, real-time digital attack maps.

My favourite is Google’s Digital Attack Map, powered by data from Arbor Networks Inc., a network security company.

There’s the darkly-threatening IPViking map by Norse, a data centre company.

Antivirus developer Kaspersky Labs has a blocky-looking “Cyberthreat Real-time Map“, including an “are you infected” button which links to a demo download of their antivirus software.

ShadowServer, a foundation dedicated to network security, provides daily static maps of DDOS attacks, suitable for people with weak hearts and/or underpowered computers.

Prolexic Technologies, an anti Denial of Service service, provides their clients with sophisticated tools to visualize digital attacks. Here’s their visualization of mitigating an enormous DDOS attack against one of their clients in 2013:

Logstalgia is an open source website traffic visualization that replays or streams web-server access logs as a furious technicolor game of Pong: