Security Researcher Dumps 10 Million Passwords Online, Fears FBI Raid

It's not often that someone in the possession of a massive collection of passwords is willing to let it loose, and it's for good reason. It's perhaps for even greater reason why we so rarely see someone release a database that has both the usernames and passwords.

With the effects that WikiLeaks and Edward Snowden laid on the world, the FBI has been on a rampage to quell whatever it deems problematic, even if it poses no threat at all to national security. Despite that, security analyst Mark Burnett has decided to do what he feels is the right thing, and released a list of account credentials i- 10 million in all.

Weak Passwords

Based on the title of his article alone, I felt a little up-in-arms that Mark would take it upon himself to put millions of accounts at risk. However, there's more than meets the eye. A lot of the information is out-of-date, for starters, and Mark also went through the hassle of making the list as unidentifiable as possible. He provides a list of six ways he's protected people's accounts:

  • Limited identifying information by removing the domain portion from email addresses.
  • Combined data samples from thousands of global incidents from the last five years with other data mixed in going back an additional ten years so the accounts cannot be tied to any one company.
  • Removed any keywords, such as company names, that might indicate the source of the login information.
  • Manually reviewed much of the data to remove information that might be particularly linked to an individual.
  • Removed information that appeared to be a credit card or financial account number.
  • Where possible, removed accounts belonging to employees of any government or military sources.

This transparency is Mark's way of proving to the FBI that he shouldn't be targeted. He says he's doing security research a favor, as rarely do password leaks ever include the associated accounts.

Mark didn't break into any systems for this information; he spidered it from search engines, which was made useful because the leaked credentials were tied to services that stored all of the passwords in plaintext. Anyone could have gone ahead and found this information themselves; Mark's just chosen to gather it all up, remove truly identifiable information, and re-release it. Further, most of this information is outdated, with some of the credentials being up to ten-years-old.

Ten Million Passwords
A sample of the password list

I downloaded the list, and I admit that I'm not quite sure what it will help security researchers with versus other lists, but that could be because I'm not a security researcher. After looking through, I spotted a number of common poor password traits, but it's all standard fare. The overarching theme I saw here is no different than what I've seen from previous lists: A lot of people use horribly insecure passwords. We talked about this not even a month ago.

That's one of the things Mark hopes to emphasize, though. People need to realize that their passwords are insecure, and put them at risk. But again, that's nothing new - it's a message that's been harped at people for many years, but many still continue to use a password that emphasizes convenience more than security.

Ultimately, Mark heavily modified this list, and most notably removed domain names in the email addresses. And as most of this information is said to be seriously out-of-date, it seems to me like it'd be a massive waste of the FBI's time to target him. As we've seen exhibited on multiple occasions, though, that doesn't always matter.