One man emailed 97,931 people to tell them their passwords had been stolen
Naked Security Naked Security

One man emailed 97,931 people to tell them their passwords had been stolen

'Atechdad' searched Pastebin for stolen login credentials, and after three days of searching he emailed victims to tell them the bad news.

lost leather wallet with money and cardsIf you found a wallet lying in the street that contained thirty dollars and the owner’s address would you return it?

‘Atechdad’ would.

Atechdad is the creator of the hacked site gallery urhack.com and he’s more familiar than most with the bits of the web where personally identifiable detritus washes up from so many internet break-ins.

He is, in his own words, somebody who runs “across lots of passwords on the webs”.

What if someone returned your wallet, but cloned your credit card? You probably wouldn’t know anything was amiss. Losing a password is a bit like having your credit card cloned. Unlike losing your wallet, there isn’t a particular moment when it’s no longer in your possession, only the moment where it’s no longer exclusively yours.

Which makes learning that your password has been stolen an unpleasant but necessary step in re-establishing the integrity of your privacy and security.

The web is, as Atechdad attests, littered with cloned passwords and yours might be among them.

To find out if they are, you’ll either have to conduct an exhaustive, never-ending search of the web’s grubby corners or pay somebody else to do it for you.

Assuming you even realise that such a service exists, and most of us probably don’t, you’ll have to decide if you trust it.

Atechdad had another idea:

I run across lots of passwords on the webs. Passwords to bank accounts, Netflix accounts, email accounts - you name it ... I wondered what would happen if I just emailed this information to the people who owned it

So he set out searching Pastebin for credentials and after three days amassed a trove of nearly 98,000 email and password combinations.

And then he contacted all of them to tell them the bad news.

From: <canary urhack.com> 
To: REDACTED
Cc: 
Date: Tue. 19 May 2015 06:12:41 -0400 
Subject: Your account may have been compromise& 

To Whom It May Concern: An account associated with this email address may have been compromised. This email has been sent as a warning.

If these credentials match any you are familiar with. we recommend that you change your password as soon as possible. Otherwise. please disregard this message.

REDACTED

Why? 

The scripts that urhack.com is powered by routinely come across sensitive information which has been published publically. This is usually the result of a hack. social engineering attack or phishing campaign. Many people may not know their accounts have been compromised. We send these emails as a service to let people know so they can take action. 

About Canary 

-urhack Canary


If you do not wish to receive these notifications in the future. please unsubscribe. We will not bug you again. Promise.

Those of you itching to know if this good Samaritan gesture was met with altruism in kind should prepare yourselves for disappointment; the internet did not thank Atechdad.

It could have been the slightly spammy, lightly phishy nature of his communiqué (note the typo in the subject line).

Or maybe, after years of disingenuous emails from rich Nigerian princes and beautiful Russian girls, we’ve lost faith in the claims of strangers.

Whatever the reason, Atechdad’s 97,931 good intentions were just no match for the yawning, black hole of apathy and cynicism that our inboxes create.

Just 50 of the near-one hundred thousand recipients registered receipt of their email in any way whatsoever. Of those, 41 did so by unsubscribing themselves, leaving just nine (0.009% of people emailed) who felt his efforts warranted a thank you.

The evangelical are not easily dissuaded from their path by apathy or abuse though. Buoyed by what he describes as the success of his first trial, Atechdad has given his experiment a name, Robin, and vowed to do it again.


Image of a lost wallet courtesy of Shutterstock.