Skip to main content

Security researcher posts over 10 million hacked passwords online

An online security researcher has shared 10 million passwords and usernames as the FBI threatens to crackdown on the transfer of information in the hacking community.

Mark Burnett insists that he had no malicious intent when acquiring the information and was instead investigating trends in how individuals choose passwords. However, the recent sentencing of Anonymous supporter and researcher Barrett Brown has clouded the legality of Burnett’s actions.

Read more: Obama pushing for new laws on data hacking and student privacy

Brown was sentenced to five years in prison and ordered to pay fines of more than $890,000 for posting links to hacked authentication data, something Burnett is keen to avoid.

"I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment," he wrote in a blog post. "I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me."

Burnett also questioned proposed changes to federal hacking regulations in the United States. Following the changes, hackers could be subject to criminal charges if they share personal data, even if they have no intention of using that information to defraud individuals or gain unauthorised computer access.

“The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers,” he added. “Suddenly even linking to data was an excuse to get raided by the FBI and potentially face serious charges. Even more concerning is that Brown linked to data that was already public and others had already linked to.”

Read more: How hacking is improving the world

Burnett’s research hopes to analyse whether there is a connection between an individual’s username and password, with the goal of helping create more secure online services. The security researcher also added that most of the 10 million leaked data sets were no longer valid, but it remains to be seen if US authorities will let his actions go unpunished.

Guillaume Desnoës, head of European Markets at Dashlane (opens in new tab) offered his thoughts: "It is vital that an issue as important as online security and password strength is taken seriously. This act only goes to further show that our data is more vulnerable than ever.

"Long-gone are the days when Internet users could take a lackadaisical attitude to their online security. We need to wise up to the ever-growing threat of data breaches and cyber attacks such as Heartbleed last year to this weeks’ Anthem data leak in the US by taking individual responsibility of our own data and protecting it properly using strong and unique passwords across the web."

"Despite much of the data being obsolete and unusable, this act still risks trivialising a very important issue. Why take the risk of releasing data if there is any chance that some of it is valid?

"Online security is certainly not a game and something which should be taken lightly.”

Barclay has been writing about technology for a decade, starting out as a freelancer with IT Pro Portal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.