Skip to content
One man emailed 97,931 people to tell them their passwords had been stolen
Naked Security Naked Security

One man emailed 97,931 people to tell them their passwords had been stolen

'Atechdad' searched Pastebin for stolen login credentials, and after three days of searching he emailed victims to tell them the bad news.

lost leather wallet with money and cardsIf you found a wallet lying in the street that contained thirty dollars and the owner’s address would you return it?

‘Atechdad’ would.

Atechdad is the creator of the hacked site gallery and he’s more familiar than most with the bits of the web where personally identifiable detritus washes up from so many internet break-ins.

He is, in his own words, somebody who runs “across lots of passwords on the webs”.

What if someone returned your wallet, but cloned your credit card? You probably wouldn’t know anything was amiss. Losing a password is a bit like having your credit card cloned. Unlike losing your wallet, there isn’t a particular moment when it’s no longer in your possession, only the moment where it’s no longer exclusively yours.

Which makes learning that your password has been stolen an unpleasant but necessary step in re-establishing the integrity of your privacy and security.

The web is, as Atechdad attests, littered with cloned passwords and yours might be among them.

To find out if they are, you’ll either have to conduct an exhaustive, never-ending search of the web’s grubby corners or pay somebody else to do it for you.

Assuming you even realise that such a service exists, and most of us probably don’t, you’ll have to decide if you trust it.

Atechdad had another idea:

I run across lots of passwords on the webs. Passwords to bank accounts, Netflix accounts, email accounts - you name it ... I wondered what would happen if I just emailed this information to the people who owned it

So he set out searching Pastebin for credentials and after three days amassed a trove of nearly 98,000 email and password combinations.

And then he contacted all of them to tell them the bad news.

From: <canary> 
Date: Tue. 19 May 2015 06:12:41 -0400 
Subject: Your account may have been compromise& 

To Whom It May Concern: An account associated with this email address may have been compromised. This email has been sent as a warning.

If these credentials match any you are familiar with. we recommend that you change your password as soon as possible. Otherwise. please disregard this message.



The scripts that is powered by routinely come across sensitive information which has been published publically. This is usually the result of a hack. social engineering attack or phishing campaign. Many people may not know their accounts have been compromised. We send these emails as a service to let people know so they can take action. 

About Canary 

-urhack Canary

If you do not wish to receive these notifications in the future. please unsubscribe. We will not bug you again. Promise.

Those of you itching to know if this good Samaritan gesture was met with altruism in kind should prepare yourselves for disappointment; the internet did not thank Atechdad.

It could have been the slightly spammy, lightly phishy nature of his communiqué (note the typo in the subject line).

Or maybe, after years of disingenuous emails from rich Nigerian princes and beautiful Russian girls, we’ve lost faith in the claims of strangers.

Whatever the reason, Atechdad’s 97,931 good intentions were just no match for the yawning, black hole of apathy and cynicism that our inboxes create.

Just 50 of the near-one hundred thousand recipients registered receipt of their email in any way whatsoever. Of those, 41 did so by unsubscribing themselves, leaving just nine (0.009% of people emailed) who felt his efforts warranted a thank you.

The evangelical are not easily dissuaded from their path by apathy or abuse though. Buoyed by what he describes as the success of his first trial, Atechdad has given his experiment a name, Robin, and vowed to do it again.

Image of a lost wallet courtesy of Shutterstock.


Haven’t you noticed that the harder you try to say that the email you are sending is not spam, the more it sounds like you’re spamming?


Wouldn’t using a registered receipt of email in any way be an incorrect way of determining how many read the email? If there were 10,000 who read and acted upon the email by updating their compromised account(s) but didn’t reply back in any manual or automated fashion, Atechdad’s efforts would be hugely successful, but untrackable.


Not all email clients support read receipts and it’s at the discretion of end users to allow them or not on the ones that do. Plenty of people would see it as a further imposition on top of unsolicited email.

There is no good way to track email opens – commercial mass mailing applications tend to use images that have to be retrieved from a website owned by the sender but again, they have to allowed by the recipient.

Both techniques would undermine atechdad’s credibility even more IMO.

So yes, you’re absolutely right, it could be that tens of thousands acted upon the emails.

There’s simply no way to tell.


If I had been him I would have put the password as the subject line… This would had drawn more attention.
His template as it is just looks too much like regular spam… If I see an email with “Your account may have been compromise&” as subject I just delete it or click “report spam”.
As it is it was probably caught by most current Bayesian spam filters….


I don’t know where the misspelling came from. The email that was sent actually had an exclamation mark. The example on my blog is a response. I suspect the sample above has urlencoded the message or something.


So, is Atechdad legit??


I got one of these a few hours ago, google put it in the spam box.
The format is better then the one shown above. When you see an email with your username and password in a large font, you know without a doubt it is no longer secure.

What I’m still not sure of is how the password was gotten, oddly the website it was for emailed me, 18min before the notice, informing me of an attempted access.

Makes me think urhack either attempted to use the login or brute forced the info in the first place.


I got one of these emails as well and conveniently enough my accounts were taken over right as I received the email. Never had any issues before that.


Pretty sure didn’t attempt an access. The password must have been freshly stolen and Atechdad informed you quickly after.


dude, that’s a crime. no, seriously. you’re not robin hood, mmm’kay?

people, when you get this garbage, report it to federal agencies that handle hacking, phishing and online identity theft.


He didn’t hack anyone. People steal this information everyday, and he knows where to find it and advises people to change their passwords. Not a crime in the slightest. I left him today a thank you reply for sending me this email. Again he doesn’t hack anyone. At best he hacks the people that steal our passwords.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!