This security researcher just published 10 million real usernames and passwords

The massive password dump both tests and protests cybercrime law enforcement in the United States.

A security researcher is both testing and protesting US cybercrime laws by publishing 10 million real usernames and passwords for research purposes.

Mark Burnett, a Utah-based independent security analyst, released the usernames and passwords in a plain text file through BitTorrent on Monday. While it's not unusual for researchers to post information on leaked passwords, the inclusion of corresponding user names is rare, and approaches the boundaries of anti-hacking laws.

That's partly the point, as Burnett spends the bulk of his blog post explaining why he shouldn't be arrested. "I clearly have no criminal intent here," Burnett wrote. "It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us."

Why this matters: It's worth noting that all of Burnett's data is or was publicly available, taken from forums and paste boards dating back as far as 10 years, so any credentials in Burnett's list are already compromised. While there could be some danger in repackaging that data, the bigger risk is to Burnett himself--with the potential payoff of publicity and plaudits if he gets away with it.

Trial by blog post

To explain why he shouldn't be arrested, Burnett pointed out the steps he took to prevent illegal use of the data, such as removing email domains and keywords that could be tied back to a company. He also believes that many of the passwords are useless to begin with. For those reasons, Burnett argues that he has not knowingly aided in identify theft, nor has he intended to defraud people through login information.

Why compile and release all that data, then? "The primary purpose is to get good, clean, and consistent data out in the world so others can find new ways to explore and gain knowledge from it," Burnett wrote in an FAQ. "The data isn't perfect and there are a few anomalies, but it should provide good insight into user password selection."

But there's also an air of protest in Burnett's blog post. He pointed to the case of Barrett Brown, the Anonymous spokesman who was initially arrested for copying and pasting a hyperlink to leaked Statfor data. While some of the original charges didn't factor into Brown's eventual five-year prison sentence, Burnett said the arrest could still have a chilling effect on journalism and research.

Even if Burnett's actions aren't illegal today, he argues that President Barack Obama's proposal for tougher laws against cybercrime would almost certainly outlaw the data dump. "The problem is that it is that the laws themselves change the very definition of a criminal and put many innocent professionals at risk," he wrote.

Join the CSO newsletter!

Error: Please check your email address.

Tags bittorrenthacksecuritypasswords

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jared Newman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts