If you were sitting on 10 million hacked usernames and passwords, would you show the world? Mark Burnett, an information security researcher hailing from Salt Lake City, Utah, has done just that.
His reasoning? “… to get good, clean and consistent data out in the world so others can find new ways to explore and gain knowledge from it.”
The colossal database was cobbled from various database dumps, primarily over the last 5 years. In a blog post detailing the share, Mr. Burnett addressed legal and ethical concerns about his actions.
It is thought that there could be legal troubles for the researcher, though he maintains that most of the passwords are dead, and the leak is purely for the interest of the public. Burnett further stated “…it shouldn’t be illegal to research.”
Shortly after publishing the data, Burnett offered to supply BreachAlarm with a list of the email addresses that corresponded to the 10 million username/password combinations.
Updated 13 Feb 2015: On importing the the list provided by Burnett into BreachAlarm, we found the following:
7,140,863 email records. Updated 16 Feb 2015: Burnett has explained via email that this difference is a consequence of the way the username/password list was assembled from various sources, some of which did not include email addresses, and with removal of duplicate records performed at different stages along the way.
53% of the email addresses are ones we have already indexed previously. Burnett mentions in this blog post that he’s been collecting data for over 10 years, so it makes sense that he’s picked up some of the breaches we have.
Russian email addresses featured in the data provided with Mail.ru and Yandex.ru making up 58% of the email list. Late last year we picked up two large Russian database hacks; these breaches comprise a significant portion of Burnett’s release.
Hotmail, Yahoo and Gmail email addresses made up 17% of the list or almost 1.3 million records.