I Emailed 97,931 Users Their Passwords23 Jun 2015
I run across lots of passwords on the webs. Passwords to bank accounts, Netflix accounts, email accounts- you name it. Pastebin and its clones are very popular repositories for this kind of information.
Now, there are a couple of solutions a person can use to collect this password data. Not all of them are malicious.
Some of these scripts are often used to alert a person when one of their own accounts are compromised as a kind of canary. I’ve seen various services where a person can opt-in to be notified if one of their accounts has been compromised. A “Canary As A Service” if you will. I can see two issues with this:
- Most users have no idea these services exist.
- Many users are wary of sending the information they care most about to another online service.
I wondered what would happen if I just emailed this information to the people who owned it. Instead of asking people to opt-in — I could offer them the chance to opt-out.
I decided to do this as part of urhack.com and call it
canary Robin (the reasoning behind this change is there). I set up the email and a reply address to offer people a chance to unsubscribe. I even set up a PayPal donation button. I didn’t expect anything in return, but thought , “Why not?” five dollars would cover the VPS time.
For 3 days, I scraped Pastebin looking for email address/password combinations. This seemed to be the easiest target since it was the most active. After removing the garbage, I was left with over 97,000 email:password combinations.
On May 19th 2015, I sent out the emails. I could have waited for more, but this was only an experiment– and honestly I was getting impatient.
I tried to keep the message simple:
- 9 Thank Yous (0.009%)
- The thank you notes I got were sincere. One of them validated the entire effort when the person indicated that they use the same password for everything and wanted to know which account had been compromised.
- 100 Delivery Status Notification (Failure) (0.1%)
- Many of the addresses contacted were no longer in use for obvious reasons.
- 41 unsubscribes (0.041%)
- Including one request to F**k off. (0.001%) :)” />
- 29 Spam (0.029%)
- Some of these addresses were either compromised accounts which reply to emails with spam or were planted for this purpose.
- I received no donations. This was not unexpected– but since the campaign didn’t cost me much, it’s also absolutely fine.
Overall I consider this experiment a success. I hope that many people were helped and did not reply instead of ignoring or losing the email to spam filters.
My next list has been running since May 19th. My current count has around 300k accounts.
I might just do this again.