
How the Pwnedlist Got Pwned - pfg
http://krebsonsecurity.com/2016/05/how-the-pwnedlist-got-pwned/
======
SlashmanX
Is it really necessary to run Kali to just change a parameter in a POST
request? Also the response from InfoArmor is disconcerting: "Clearly you have
a special account... Oh wait s\ _\_ t no". The default position shouldn't be
to fob it off as not an issue it should be "Ok, we'll look into it and try
reproduce"

~~~
jlgaddis
It's easy to think that and initially downplay this kind of thing but, in my
20+ years in this field, I've had more than one instance where I've said to
someone "no, that _can 't_ happen" only to discover that it can and did
happen.

------
curiousgal
How does Pwnedlist get those dumps anyway? Pastebin bots would cover Pastebin
but what about chat rooms and the rest?

------
CM30
Is it me or are there quite a few security related services and companies
making these sorts of minor (but easily addressable) mistakes that cost them a
ton?

I swear I remember quite a few sites like this getting compromised or
exploited recently.

------
pfg
tl;dr: site used to track public password breaches allowed users to get a list
of 866M credentials because of a simple parameter tampering vulnerability.

