You need to hear about this massive data breach. A company that helps its clients keep track of data breaches had a security gap that made it easy for anyone to look at its 866 million records of user names and passwords.
The company, InfoArmor's PwnedList, makes money by letting other companies keep track of their customers' data, to see if their user names and passwords have been breached.
The problem is that PwnedList's two-step verification process was seriously flawed according to cybersecurity researcher Brian Krebs. On PwnedList, when requesting to monitor a specific website, you first input your email address.
The second step to verify you're you is to confirm your email. However, it turns out that process was seriously defective. It didn't matter what email address you submitted that second time, PwnedList would still let you in, saying you're verified. Worse, you could input anyone's email address.
"The process of adding a new thing for PwnedList to look for, be it a domain, email address, or password hash, was a two-step procedure involving a submit button and confirmation page, and the confirmation page didn't bother to check whether the thing being added in the first step was the same thing approved in the confirmation page," Krebs wrote.
The breach was easy to exploit by hackers who have pretty basic hacking skills and the easy-to-get Kali Linux software. Kali Linux finds software and network vulnerabilities.
It "makes sniffing, snarfing, and otherwise tampering with traffic to and from websites a fairly straightforward point-and-click exercise," Krebs wrote.
In his quick test, Krebs was able to quickly download 100,000 user names and passwords. "I could now effectively request a report including all 866 million account credentials recorded by the PwnedList. In short, the PwnedList had been pwned."
Update: A notice on the PwnedList.com site reads in part: "Website Shutdown Notice. Thank you for being a subscriber and letting us help alert you of any risks related to your personal credentials." It went on to read: "...the PwnedList website has been scheduled for decommission on May 16, 2016."