A security researcher has released the usernames and passwords from 10 million real user accounts online for ‘research purposes’.
Utah-based Mark Burnett released the list of usernames and passwords in a plain text file through Bittorrent on Monday, but in a statement published on his website notes that the release may have put him in the cross-hairs of the FBI.
In a section of the statement titled “why the FBI shouldn’t arrest me”, Burnett argues that this release does not break the law as he has no intent to use the data for criminal purposes. He said:
“In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.”
The release is rare in that the passwords are published in combination with the relevant usernames, but Burnett has made efforts to protect the identity of those with the hacked accounts by removing the domain portion from email addresses as well as company names and anything that looked like financial data from the release.
The username and password combinations were sourced from a variety of data dumps over the past decade on a variety of forums, chat sites, and darknet locations – the same sources that tools such as haveibeenpwned or pwnedlist use as the source of their information to tell users if their data has been breached.
While all the data may have been publicly available before, this is the first time that it has all been brought together, making it both more useful for researchers as well as criminal elements, but Burnett hopes that the username and password combinations are no longer active and will not pose a security threat.
Photograph by Jeroen Bennink