I came across a fun new site today.
The link is safe to click on but under no circumstance should you enter any real passwords that you use.
Another thing they did was use https.
This one does neither and is highly dangerous. I’ve been poking at the site to see if there was any way to find out what it was doing, but found nothing conclusive to this point. After submitting data it reports that it checked against some number of records, but that number fluctuates wildly and is clearly just a randomly generated number. So at best, whoever is running this site is playing a poorly thought out joke on the visitor.
More troubling is the likelihood that they are harvesting user credentials to perpetuate fraud and/or identity theft.
If the site is not writing the entered credentials into a database, it is still transmitting the username and password in plaintext over http and represents a major security risk.
I brought this up on the #misec IRC channel (freenode), and a great idea that came up (I cannot remember whose idea this was, sorry!) was to set up a dummy account and pass those credentials to the site. Then you wait to see if the account is accessed and where it is accessed from. That would prove the site is stealing passwords, and potentially lead you to the parties responsible.