Weekly podcast: Instagram hacked, Pwnedlist pwned, email credentials sold

This week, we discuss the youngest beneficiary of Facebook’s bug bounty programme, a Pwnedlist security flaw that exposed 866 million stolen credentials, and 272.3 million Gmail, Yahoo Mail and Hotmail credentials apparently for sale on the dark web.

Looking for the audio only version? Click here.


Hello and welcome to the IT Governance podcast for Friday, 6th May. Here are this week’s stories.

A 10-year-old boy from Finland has become the youngest beneficiary of Facebook’s bug bounty programme after finding a vulnerability in Instagram’s servers that allowed him to delete user comments. His reward? US$10,000. Jani, from Helsinki, discovered the flaw in February, and emailed Instagram’s owners, Facebook, to inform them. Facebook security engineers set up a test account for him to prove his theory, which he did.

Jani and his twin brother developed their skills by coding games, much to the surprise of their father. He commented: “I was quite surprised that Jani had learnt so much.” At 10 years-old, Jani is technically three years too young to have his own Instagram account. He told a Finnish newspaper that he planned to use the money to buy a new bike and football, and new computers for himself and his brother.

Pwnedlist.com, a reference service that boasts “the most comprehensive database” of credentials harvested from data breaches, itself exposed some 866 million stolen credentials via a parameter tampering vulnerability. Brian Krebs reported that security researcher Bob Hodges discovered the flaw when he attempted to add a couple of domains that he administered to his watch list. He found that the system didn’t send him a verification email, and then he realised that this meant he could monitor any email address or website that he wanted. Hodges commented: “It’s almost like at some point they just disabled any verification systems they may have had at Pwnedlist.”

Pwnedlist’s owner, InfoArmor, downplayed the issue on Twitter, saying that as the exposed data had already been compromised, “there was no loss of [Personally Identifiable Information] or subscriber data.” According to a new pop-up notice on its homepage, the site “has been scheduled for decommission on May 16, 2016.”

Talking of stolen credentials, security firm Hold Security claims to have discovered a trove of 272.3 million unique pairs of email addresses and unencrypted passwords, many of which relate to popular providers Gmail, Yahoo Mail and Hotmail. The credentials were being offered for sale on a dark web forum by a Russian criminal hacker for a paltry 50 roubles. Google, Yahoo and Microsoft are all investigating.

This isn’t the first time the company has apparently uncovered large-scale password theft. In 2014, Hold Security claimed to have uncovered a hacking incident that resulted in the theft of 4.5 billion credentials. Forbes magazine, among others, expressed scepticism at the time.

Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.