Security researcher publishes 10 million passwords, usernames online

The data set has been published -- but what will the FBI have to say about it?
Written by Charlie Osborne, Contributing Writer

In the name of clarity and research, a security expert has compiled and published 10 million usable usernames and passwords online.

This week, Mark Burnett, a security consultant and researcher who specializes in the security of Microsoft Windows-based servers and networks, released 10 million passwords and linked usernames in a data set compiled from existing information. The information, sourced from the Internet, was compiled with the intention of furthering research in passwords and user behavior.

While the password research data has been kept in his possession until now, Burnett has decided to share the data set of data with the world. In a blog post, the security researcher explained why the information has been released into the public domain -- saying that he has wanted to "provide a clean set of data to share with the world," as the data set provides "great insight into user behavior and is valuable for furthering password security."

Now viewable by the public, the data set will no doubt provide invaluable to other researchers. However, this could be tricky when it comes to the law.

In order to stop the FBI coming after him, Burnett explained why the information was divulged. The security researcher says:

"The intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure, and therefore protect from fraud and unauthorized access."

In order to prevent the 10 million usernames and passwords being used illegally, Burnett has removed the domain portion from every email address, combined data samples from thousands of global incidents from the last five years with other data mixed in -- going back ten years -- so account sets cannot be tied to any one company, and removed keywords such as company names to disguise the source of the login data.

In addition, the security consultant has "manually reviewed much of the data to remove information that might be particularly linked to an individual," and removed any data which appears to be financial or belonging to employees of government or military sources -- when these accounts have been identifiable in the first place.

If you are concerned your accounts may be on the list, there is likely little cause for alarm. Burnett states:

"I believe these are primarily dead passwords, which cannot be defined as authentication features because dead passwords will not allow you to authenticate. The likelihood of any authentication information included still being valid is low and therefore this data is largely useless for illegal purposes. To my knowledge, these passwords are dead."

An important point to emphasize is that all of these username and passwords sets are available online as existing dumps -- and have simply been compiled by the security consultant. However, it is worth checking Google, haveibeenpwned or pwnedlist to see if any of your accounts have been compromised.

Burnett concludes:

"This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain.

Having said all that, I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment.

I could have released this data anonymously like everyone else does but why should I have to? I clearly have no criminal intent here. It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us."

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards