A security consultant has published an unencrypted list of 10 million passwords and usernames - alongside a lengthy explanation about why he should not be arrested.
Mark Burnett published the list on Safer Internet Day in order to help researchers detect and study online security.
But the move is risky: journalist and hacktivist Barrett Brown was recently sentenced to 63 months in a Texas prison for linking to security data obtained by hacking.
Security researchers often leak and study lists of passwords in order to help advise the public, and businesses, on avoiding common mistakes when it comes to security. But almost always researchers remove the associated usernames, so that the public is not put at risk by the release.
However Burnett said he was releasing the usernames and passwords together to “provide insight into user behavior”.
He said that while his list was real - these were all once usernames and passwords used by real people - he had taken steps to ensure they would not put real people at risk.
He said:
- Most of the passwords are “to the best of my knowledge” not still in use
- The data is already publicly available in plain text
- All users will have been notified that their passwords are public
- Most users will have changed their passwords already
But he added that it was “completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment”.
“I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me.
I could have released this data anonymously like everyone else does but why should I have to? I clearly have no criminal intent here. It is beyond all reason that any researcher, student, or journalist have to be afraid of law enforcement agencies that are supposed to be protecting us instead of trying to find ways to use the laws against us.”
He also said that he did not want to put anyone at risk - rather help researchers keep people safe.
"In the case of me releasing usernames and passwords, the intent here is certainly not to defraud, facilitate unauthorized access to a computer system, steal the identity of others, to aid any crime or to harm any individual or entity. The sole intent is to further research with the goal of making authentication more secure and therefore protect from fraud and unauthorized access."
Burnett also provided an ‘FAQ’ for anyone concerned by the publication of the data in which he says that “if a hacker needs this list to hack someone, they probably aren’t much of a threat”.