Researcher Publishes 10 Million Usernames and Passwords from Data Breaches

Posted on Posted in Hacker News
A security researcher has publicly released a set of 10 Million usernames and passwords, which he collected from multiple data breaches over the last decade for the purpose of his research.
Researcher Publishes 10 Million Usernames and Passwords from Data Breaches
These 10 million usernames and passwords are collective of leaked database dumps those were already available publicly on the Internet. However, Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, marked his decision to publish the password dump as legally risky, but necessary to help security researchers.
The researcher says the released set of passwords and usernames is like a sample data, which is important for other researchers to analyze and provide great insight into user behavior and is valuable for encouragingpassword security.
Also, the researcher was frequently receiving lots of requests from students and other security researchers to submit a copy of his password research data for their own analysis.
At the time, he typically decline to share the passwords because he was worried that if he do so, it might harm him legally given the recent five-year sentence handed to former Anonymous activist and journalist Barrett Brown, for sharing the hyperlink to an IRC (Internet Relay Chat) channel where Anonymous members were distributing stolen information from the hack.
However, at the same time, Burnett wanted to share his password research data with the world in order to study the way people choose pass phrases.

I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment,” he wrote in his blog post published Monday. “I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.

Burnett has collected the data from major data breaches at big companies including Adobe Data Breach andStratfor hack, all of which have already been publicly available over the Internet, which could be easily found through Web searches.
According to the researcher, most of the leaked passwords were “dead,” meaning they had been changed already, and he has scrubbed other information such as domain names to make it unusable for cyber criminals and malicious hackers. However, usernames or passwords found on the list that are still in use should be changed immediately.
Burnett also explains the fact that he is not supposed to be arrested by the law enforcement agencies.

Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone,” Burnett wrote.

Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature. If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.

Almost 10 million passwords released by the researcher, for instance, could help other researchers to determine how often users include all or part of their usernames in their passwords. However, 10 Million is a very big number, but Burnett defended that all of the leaked data was already available online.