Researcher Leaks Ten Million Usernames and Passwords; Are Your Credentials At Risk?
Mark Burnett, a researcher on Internet security, decided to release a data dump of significant proportions recently in an effort to help strengthen password security. Included in the torrent he released were ten million usernames and passwords.
In a blog post, Burnett expressed that he was incredibly concerned about the legal repercussions of his actions, but argued his stance clearly.
I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain.
Citing other cases where people have succumbed to punishment for releasing data like this, Burnett said it’s ridiculous that he felt the need to write an entire article justifying his actions. Burnett argued that the FBI shouldn’t arrest him, for what he’s doing isn’t against the law under his interpretation of the law.
Burnett’s Defense Against Prosecution For Leaking Usernames and Passwords
Burnett believes the FBI shouldn’t prosecute him for his actions because he has no intent for his actions to further malicious activity.
The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.
In a further effort to protect the victims of the leak from bad actors, Burnett doctored the information to remove company names and manually reviewed the information to rid it of personal identifiers. Burnett also removed military and government sources where possible, along with credit card of financial account numbers.
For now the laws are on my side because there has to be intent to commit or facilitate a crime. However, the White House has proposed some disturbing changes to the Computer Fraud and Abuse act that will make things much worse.
Citing 18 U.S.C. § 1030. (a)(6), Burnett pointed out that the White House wants to remove the “intention” clause and replace it with the word “willfully,” along with a blanket statement making it entirely illegal to share this type of information.
While the White House certainly has due process to protect U.S. citizen’s security online, Burnett believes these types of restrictions will stifle innovation in the security of usernames and passwords.
Burnett then put up the link to the 84.7 MB torrent with a warning to anyone wanting to download, saying that the information is for academic and research purposes only.
“As a final note, be aware that if your password is not on this list that means nothing. This is a random sampling of thousands of dumps consisting of upwards to a billion passwords. Please see the links in the article for a more thorough check to see if your password has been leaked. Or you could just Google it.”
Images from Shutterstock.