A security researcher has revealed from a research of various data breaches, a collection of 10 million usernames and passwords.
The leaked database dumps that had the 10 million usernames and passwords were already available to the public online. But a popular security consultant, Mark Burnett – the person involved in the collecting and researching leaked passwords over the internet – made his resolution of publishing the passwords dump as a risky thing, however, something that can come in handy to the security researchers.
WHY IS THE RESEARCHER WILLING TO SHARE PASSWORDS?
It has been said by the password researcher that these passwords would provide a sample for other researchers to analyze and understand better the user behavior and will motivate password security.
The researcher was requested time to time from various students and other security researches for giving a copy of the password research data so that they can do their independent research.
WHAT PANICS HIM OF SHARING HIS RESEARCH?
There was an incident where the former Anonymous activist and journalist Barrett Brown was sentenced to a five-year arrest as he shared the hyperlink with an IRC (Internet Relay Chat) channel where other members were distributing hacked information. It is this fear of being sentenced that Mark Burnett is refraining from sharing his research with anyone.
Ironically, Burnett is willing to share the information universally so that the world can understand the way people choose pass phrases.
Burnett also wrote in his blog post on Monday that it is simply ridiculous that he has to write a whole justification for the release of the data if he does not want legal action taken against him. He says that if it wasn’t for this report, he would have written an article on the data release but now he has to spend the time on this lame thing just to convince the FBI not to arrest him.
FROM WHERE DID THE CREDENTIALS COME?
Burnett has collected the information that was already present on the internet. He has gathered data breaches at major companies such as Adobe Data Breach and Stratfor hack.
Many of the passwords that were found, the researcher said, were already “dead” which means that most of them were already changed and Burnett scrubbed other data like domain names so as to render the information useless for cyber criminals and other hackers. The passwords, however, still present on the list should be changed instantly.
A SHORT INTERVIEW WITH MARK BURNETT
Few questions were posed to Mark about sharing the usernames/passwords with the world and the answers were as follows:
Q: Is there any threat to online users associated with sharing the passwords with the public?
A: The passwords are already out there on the internet and so the hackers who want to hack the passwords on this list, are not a threat at all.
Q: Have you been approached by any Law enforcement agencies?
Q: Does the data include any passwords or usernames from Adobe and LinkdedIn breaches?
A: My research includes those breaches that have both the username and the password and so this excludes LinkedIn and other sites as well. As far as Adobe is concerned, the passwords that were not available on the internet unencrypted have not been included as this rules out adobe as well. Otherwise, the report has a bit of everything.
Q: Give a reason as to why should the passwords be shared publicly?
A: The data is collected for the purpose of providing clean and consistent set information for those who want to find study it and hence gain knowledge. Although, I have been asked many times to share my research, I have been hesitant to do so. Despite not being completely accurate, the data can be used to improve security.
‘WHY THE FBI SHOULDN’T ARREST ME’
Usually researches are accustomed to releasing passwords alone; however, Burnett said that he has released both the passwords and usernames together. This is an area which has been less looked at but something that can offer greater insight than simply studying passwords.
There has been a common fear among researchers to release both passwords and usernames together. This is because when released in combination, they become an authentication feature and if they are linked to an already registered authentication feature in a private IRC cannel, it can be deemed as trafficking and in this case the FBI can surely take it as a crime.
The 10 million passwords revealed by the researcher can actually show how frequently do users put their usernames either partly or in full while creating a password. Still, 10 million is a huge amount but Burnett fended this off by saying that the leaked information was already on the internet.
We at HackRead are currently analyzing the data and will update you once done.