A security researcher has publicly released a set of 10 Million usernames and passwords, which he collected from multiple data breaches over the last decade for the purpose of his research.
These 10 million usernames and passwords are collective of leaked database dumps those were already available publicly on the Internet. However, Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, marked his decision to publish the password dump as legally risky, but necessary to help security researchers.
WHY IS THE RESEARCHER WILLING TO SHARE PASSWORDS ?
The researcher says the released set of passwords and usernames is like a sample data, which is important for other researchers to analyze and provide great insight into user behavior and is valuable for encouragingpassword security.
Also, the researcher was frequently receiving lots of requests from students and other security researchers to submit a copy of his password research data for their own analysis.
WHAT PANICS HIM OF SHARING HIS RESEARCH ?
At the time, he typically decline to share the passwords because he was worried that if he do so, it might harm him legally given the recent five-year sentence handed to former Anonymous activist and journalist Barrett Brown, for sharing the hyperlink to an IRC (Internet Relay Chat) channel where Anonymous members were distributing stolen information from the hack.
However, at the same time, Burnett wanted to share his password research data with the world in order to study the way people choose pass phrases.
“I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment,” he wrote in his blog post published Monday. “I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.“
FROM WHERE DID THE CREDENTIALS COME ?
Burnett has collected the data from major data breaches at big companies including Adobe Data Breach andStratfor hack, all of which have already been publicly available over the Internet, which could be easily found through Web searches.
According to the researcher, most of the leaked passwords were “dead,” meaning they had been changed already, and he has scrubbed other information such as domain names to make it unusable for cyber criminals and malicious hackers. However, usernames or passwords found on the list that are still in use should be changed immediately.