Security expert publishes 10mn passwords in the face of federal charges
An American security researcher has published a file containing 10 million usernames and their corresponding passwords for education purposes, opening himself up to the possibility of criminal prosecution.
The researcher, Mark Burnett, released the trove of data on Monday in an effort to further the work of others who are similarly interested in studying online security and user behavior.
“Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world,” he wrote on his personal website.
“A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security,” Burnett wrote. “So I built a data set of ten million usernames and passwords that I am releasing to the public domain.”
Yet while Burnett boasts a decade-and-a-half of IT security experience and has co-authored no fewer than seven books on the topic, he acknowledges in this week’s blog post that publishing his research, even for academic purposes, poses a potentially serious legal risk for himself.
In singling out the court issues recently encountered by Barrett Brown – a Texas-based writer who received a 63-month sentence in January for sharing a web link containing similarly sensitive data – Burnett says he also risks becoming the subject of a federal probe by dumping his own trove of data on the web.
“The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers. Suddenly even linking to data was an excuse to get raided by the FBI and potentially face serious charges. Even more concerning is that Brown linked to data that was already public and others had already linked to,” Burnett wrote.
Indeed, US District Court Judge Sam Lindsay sentenced Brown, 31, last month, after the writer pleaded guilty to charges of obstruction, making internet threats, and accessory after the fact to the unauthorized access of a protected computer, receiving in turn a punishment of only a few years after having previously faced upwards of a century behind bars.
Although the bulk of that sentence stems from the plea Brown entered concerning internet threats – he admitted in court that he broke the law by intimidating and harassing a federal agent by way of YouTube and Twitter (a felony) – Judge Lindsay said his decision was reached after considering that Brown had shared a publicly available website address that contained a trove of sensitive details, including credit card information pilfered from private intelligence firm Stratfor by hacktivist group Anonymous. Prosecutors had previously charged Brown with trafficking in stolen authentication features for copying a link containing the information from one IRC chat room and pasting it into another, but a high-profile campaign endorsed by the likes of the Electronic Frontier Foundation and the Committee to Protect Journalists led to those counts, and others, being dropped before a plea agreement was reached. Nevertheless, Judge Lindsay said last month that the conduct was relevant to the matters at hand before the court, and thus factored it in when deciding on a sentence.
This week, Burnett wrote that he compiled a list of around 10 million usernames and passwords – absent the domain information that would reveal where the accounts could be used – that “is or was at one time generally available to anyone and discoverable via search engines in a plaintext” and posted them on websites where compromised data is commonly hosted.
Although Burnett sees no issue with what he’s doing, he wrote that the Brown sentencing may have set a rather unfortunate precedent for security researchers.
“Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature,” he wrote. “If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.”
“In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access.”
Attorneys for Brown argued similarly when they said their client had no intention of furthering accessibility to stolen credit card data by sharing a link, but was more concerned with analyzing inner-office emails stolen from the intelligence firm’s computer network. Later, that correspondence was published by anti-secrecy group WikiLeaks and subsequently formed the basis for dozens of news stories.
“Ultimately, to the best of my knowledge these passwords are no longer be valid and I have taken extraordinary measures to make this data ineffective in targeting particular users or organizations. This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain,” Burnett wrote.
“Having said all that, I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment. I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me,” he continued.