This article is more than 1 year old

REVEALED: TEN MEEELLION pinched passwords and usernames

This will hurt me more than it hurts you, says researcher

Security consultant Mark Burnett has dumped 10 million username and passwords onto the world, in what he claims is an effort to improve research.

The huge pile, collected from caches revealed after years of breaches, was scrubbed clean of corporate information and domain data before its release.

Burnett said he went to "extraordinary lengths" to clean the data while maintaining username pairs to ensure the information was useful to research.

"These are old passwords that have already been released to the public; none of these passwords are new leaks," Burnett (@m8urnett) wrote in a post addressing some received criticism.

"They all are or were at one time completely available to anyone in an uncracked format.

"The primary purpose (for releasing the cache) is to get good, clean and consistent data out in the world so others can find new ways to explore and gain knowledge from it."

Burnett used scripts to scrape 11,000 passwords a day from the web, forums and IRC. Over ten years he collected about six million passwords.

The remainder were hoovered up in a hail of breaches since 2009 which Burnett said allowed him to manually collect up to a staggering 20 million unique passwords a year.

The trove is devoid of passwords that required cracking and none were acquired through purchase or even from exclusive forum access.

The public availability of the cache meant it presented less of a security risk if black hats were to use it, he said.

Yet the consultant acknowledged the dump stepped on the edge of ethical practise and said the decision to release usernames along with passwords for the benefit of future research was thoroughly considered.

"I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me."

Burnett estimated the law was on his side given that his intent was not criminal, but he could fall foul under proposed changes to the US' ambiguous Computer Fraud and Abuse Act (CFAA) which in section 18 removed an intent to defraud clause. It now refers to acts that "wilfully" trafficked passwords or similar data that may result in the unauthorised accessing of a machine.

Burnett had previously declined years of daily requests by industry for his password cache. The raw data sets have been shared with established breach alert providers.

The 84MB password cache could be downloaded from Burnett's website over Bittorrent.

Burnett's decision to release the trove quickly sparked debate, and accusations he acted irresponsibly. He replied with this tweet.

®

More about

TIP US OFF

Send us news


Other stories you might like