10 Million Usernames & Passwords Spilled by Researcher [Updated]

• in categories: news • by: Michelle Balestrat

a researcher reviews a sheet of DNA testing results.

If you were sitting on 10 million hacked usernames and passwords, would you show the world? Mark Burnett, an information security researcher hailing from Salt Lake City, Utah, has done just that.

His reasoning? “… to get good, clean and consistent data out in the world so others can find new ways to explore and gain knowledge from it.”

The colossal database was cobbled from various database dumps, primarily over the last 5 years. In a blog post detailing the share, Mr. Burnett addressed legal and ethical concerns about his actions.

It is thought that there could be legal troubles for the researcher, though he maintains that most of the passwords are dead, and the leak is purely for the interest of the public. Burnett further stated “…it shouldn’t be illegal to research.”

Shortly after publishing the data, Burnett offered to supply BreachAlarm with a list of the email addresses that corresponded to the 10 million username/password combinations.

Updated 13 Feb 2015: On importing the the list provided by Burnett into BreachAlarm, we found the following:

  • 7,140,863 email records. Updated 16 Feb 2015: Burnett has explained via email that this difference is a consequence of the way the username/password list was assembled from various sources, some of which did not include email addresses, and with removal of duplicate records performed at different stages along the way.

  • 53% of the email addresses are ones we have already indexed previously. Burnett mentions in this blog post that he’s been collecting data for over 10 years, so it makes sense that he’s picked up some of the breaches we have.

  • Russian email addresses featured in the data provided with Mail.ru and Yandex.ru making up 58% of the email list. Late last year we picked up two large Russian database hacks; these breaches comprise a significant portion of Burnett’s release.

  • Hotmail, Yahoo and Gmail email addresses made up 17% of the list or almost 1.3 million records.

You can use our email breach checker to see if your address is now in our database, and subscribe to Email Watchdog to get notified if your address shows up in future breaches.

Boost your breach protection!

Email Watchdog

Guard your online accounts.
  • 10 and 50 email packs available.
  • Detailed breach notifications.
  • Watchdog Update email newsletter.
  • Priority email support.
Learn More

Business Watchdog

Protect your company’s accounts.
  • Protect all email addresses in your domain.
  • Detailed breach notifications.
  • Exclusive access to your domain’s breach status.
  • Watchdog Update email newsletter.
  • Priority Email Support.
Learn More