Mark Burnett, an independent IT security analyst, has released a set of 10 million passwords along with their corresponding usernames despite an increasingly risky legal landscape.
In an article published on Xato.net, Burnett states that his intention is to not defraud or jeopardize the information of others. His goal, he goes on to clarify, “is to further research with the goal of making authentication more secure and therefore protected from fraud and unauthorized access.”
With this aim in mind, Burnett decided to release the passwords’ corresponding usernames in an effort to advance the field of password security. By studying usernames and passwords together, security researchers can analyze to what extent customers incorporate their usernames into their passwords, for example.
The security researcher also explains how he took a number of precautions to make sure that cyber criminals could not use his set of passwords for illegal purposes. Those measures included removing the domain portion from the leaked email addresses, eliminating any keywords that might provide insight into the source of the login information, and excluding any financial information such as credit card numbers.
Most if not all of the edited login credentials leaked online by Burnett have been publically available for at least 10 years, meaning that they are “dead passwords” and that users have likely reset their logins by now.
Even so, the security researcher is well aware of the risks his actions carry.
He notes, among other things, how the criminal prosecution of Barrett Brown, a journalist and spokesman for the hacker group Anonymous who also linked to publically available data online, has caused some security journalists to stop reporting on hacking and breaches for fear of being raided by the FBI.
Burnett also points out how Brown’s arrest is framed by an increasingly risky legal environment in the United States, where proposed changes to the Computer Fraud and Abuse Act could make it illegal for anyone to share passwords or other information regardless of intent to defraud.
“I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment,” Burnett writes. “I had wanted to write an article about the data itself, but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.”
The link to the researcher’s set of passwords and usernames can be found in his post here.