Security researcher Bob Hodges has found a critical flaw in PwnedList, an email service that allows users to check if their email addresses have been exposed by prominent hacks.

PwnedList checks "commonly circulating lists of accounts and passwords" and lists some 866 million compromised credentials.

The parameter tampering vulnerability reported by krebsonsecurity means attackers could easily tamper with requests to monitor for breaches of any domain.

The site does not provide alerts when a domain is monitored, meaning such attacks would remain undetected.

Hodges (@NanoBob) reported the flaws to Krebs who then used the findings to obtain in proof-of-concept tests more than 100,000 Apple.com cleartext usernames and passwords sent to the reporter in a PwnedList spreadsheet.

PwnedList says the Apple data was already compromised and the breach did not expose personally identifiable information or subscriber data.

"The data that was 'exposed' has already been 'compromised'- there was no loss of PII or subscriber data," the company says.

PwnedList went offline following the report and now bears a statement that it is now slated for decommissioning 16 May. ®