
“I Emailed 97,931 Users Their Passwords” - julianj
http://atechdad.com/i-emailed-97931-users-their-passwords/
======
harrisonjackson
Nice work! At a glance, the email you sent out does look sort of spammy. If
you plan on doing it again you might get better feedback by making it a bit
more human - ie "I'm just a guy/gal trying to help yall out - hope you don't
use this password everywhere because someone posted it to pastebin.... - have
a good one!" or something like that. Out of curiosity - what did you use to
scrape pastebin?

~~~
jwcrux
I created a Twitter bot called @dumpmon (recently suspended for no apparent
reason) that scraped paste sites looking for password dumps and tweeting if
one was found.

You can find the code here: [http://github.com/jordan-
wright/dumpmon](http://github.com/jordan-wright/dumpmon).

Here are some stats if anyone is interested in what it collected over approx.
2 years: [http://jordan-wright.com/blog/2015/05/26/two-years-of-at-
dum...](http://jordan-wright.com/blog/2015/05/26/two-years-of-at-dumpmon/)

~~~
shayanjm
I remember chatting with you a while back as I was also working on a pastebin
scraping project.
[http://github.com/shayanjm/pasteye](http://github.com/shayanjm/pasteye)

Glad to see dumpmon is still going strong :)

~~~
jwcrux
It is... just not on Twitter anymore. The account was suspended about a week
or two ago and I haven't heard anything back on my appeal from Twitter.

------
DanBC
Go careful. This is probably against the ToS of whatever internet services
you're using.

> The thank you notes I got were sincere. One of them validated the entire
> effort when the person indicated that they use the same password for
> everything and wanted to know which account had been compromised

I hope they don't only change the password on that one site!

------
mynameisvlad
> Including one request to F __k off.

If someone had just sent me an email letting me know that my email and
password are out there in the wild, "fuck off" would not be my first reaction.
That's just rude.

~~~
hartator
Sending unsolicited automated emails, even for good, may be considered rude as
well.

~~~
mynameisvlad
Really? Do people seriously have this notion? Yes, sending actual spam is
rude. But an unsolicited automated email can _easily_ be deleted, especially
if it's one time. I would never associate "rude" with that, maybe "annoying"
at worst.

~~~
DanBC
But this is actual spam! It's bulk, and unsolicited. The content doesn't
matter.

~~~
mynameisvlad
Well, it really depends on one's definition of spam. I personally consider
emails that are bulk and unsolicited, but provide some sort of actual
information or help to not be "spam" but instead just call it what it is, a
bulk, unsolicited email. To move it over to the spam category, I also would
require it not be at all useful to me. Of course, that's just me, which is why
I asked the question.

~~~
DanBC
Sure, that's one definition. Your definition would get you kicked off many
service providers and is illegal in some jurisdictions.

~~~
hartator
Plus, there was a donation button. A lot of companies are sure you are
honestly better off with their services as well.

------
meburns
cached version ->
[http://webcache.googleusercontent.com/search?q=cache:tQP6ur9...](http://webcache.googleusercontent.com/search?q=cache:tQP6ur9of4IJ:atechdad.com/i-emailed-97931-users-
their-passwords/+&cd=1&hl=en&ct=clnk&gl=us)

~~~
Aardwolf
Thanks :) Since it says "Error establishing a database connection", I wonder
if someone misused the password of their database?

~~~
scarecrowbob
Naw, that's what happens when WordPress is overtaxed.

~~~
julianj
Yeah-- I was not expecting this kind of traffic- I am reizing.... the box,
hopefully this resolves the issue very soon.

------
ocdtrekkie
This is a pretty useful service. I do check sites tracking these compromises
on occasion, and I know at least one password I used before has been
compromised, but it wasn't one I'd used in years.

My biggest concern is that your subject line sounds like plenty of
spam/phishing emails, and your URL may get blacklisted by email services if
you do this often enough.

From a slightly higher effort standpoint, you might be able to work with major
email service providers to ship these notifications to users in a more
official capacity.

~~~
kanusterkund
The problem isn't that the subject line sounds spammy, it's that the spam
mails try to sound legitimate. This may in turn create problems for actually
legit messages.

Maybe putting the scraped password in the subject line catches the recipients'
attention.

~~~
ocdtrekkie
That would probably help. "Your password, xxxx, has been compromised." Even if
they think it's spam, they should immediately realize they do need to change
their password.

~~~
julianj
That's a good idea. Maybe a subject line like your password p __ __*rd has
been compromised.

~~~
ocdtrekkie
Password is already compromised, so this is a worthless step. And only seeing
part of the password may cause them to think it's largely still secure or
something. (Some people don't understand wildcards.)

~~~
julianj
Good point

~~~
tripzilch
Nonono really bad idea, because of shoulder-surfing!

~~~
ocdtrekkie
Since their password is already compromised publicly on the Internet, it's
silly to worry about shoulder-surfing. In fact, if someone shoulder-surfs, and
sees the password, the user is even more encouraged to CHANGE it.

------
terminado
This is a cute experiment, but unfortunately the integrity of the service is
is easily corrupted.

The biggest problem is being prone to misinformation. There's nothing to
prevent people from posting arbitrary e-mail lists to pastebin, with purported
matching passwords, as an effort to provoke your service to cry wolf.

A few suggestions to harden the service:

\- provide integrity when sending the message by including a PGP signature.
what's to stop someone from running an e-mail server and spamming mass e-mail
lists with message headers that spoof your mail domain, and proclaim bogus
security lapses?

\- in general, e-mail itself is not assuredly secure. sending people an e-mail
is not enough, since the message might be intercepted as plaintext, and
altered in transit. furthermore, those intercepting the e-mail might scoop up
credentials and use them. if your service is a reliable source of working
credentials, who better to attack? maybe you risk making the problem worse?

\- consider hosting a secure web page over SSL, and mail links to your site.
if your service gains a positive reputation, users might be able to
acknowledge past leaks, but elect to receive further notices if other leaks
recur elsewhere. maybe users can see links to the source someone is using to
post their info, and whether the situation has been remedied by a take-down.
this might be a questionable activity: if you send people to that same breach,
will they look at the same list and abuse other users on the list? but what
better way to demonstrate the breach?

\- provide a means to verify the level exposure. what if someone's account was
listed for 24 hours, and then the leak was taken down. they might still wish
to know they were exposed, so they can take action. also, is the resource
you're linking to confirmed as related to a known/verified data breach? who
confirmed that this was a real breach of security? are you a first responder
to the leak? has the leak been responsibly disclosed to the providers of the
accounts tied to the leaked passwords?

~~~
julianj
These are very good points. 1\. Good idea 2\. Good point, however, these
credentials are usually already posted in public forums. My thoughts were that
the risk was already present-- and the person who potentially didn't know was
the user. 3\. I am patiently waiting on let's encrypt. As a side project with
no income, I cannot justify the cost of a certificate. 4\. I found based on
some responses that some of the credentials were old. It was not my intention
to verify exposure, but let the user know that I found a password. If the
person recognizes it for any account, change it.

I don't know if this is a service that can be maintained for any period of
time, but hopefully the unexpected emails helped someone before the service
could be abused.

~~~
hobarrera
While we wait for Let's Encrypt, you can use a free certificate from StartSSL.

~~~
julianj
I have looked at StartSSL when I registered my domain. I was turned off when I
was told my domain wasn't old enough. I understand why-- I just decided to
wait then.

------
tripzilch
Beautiful effort, nice work!

If you're going to continue doing this, you might want to take a look at the
message you're sending (or have someone else do that for you). Remember that a
large segment of your recipients are probably not the most tech-savvy (or
brightest). Do not overestimate random users reading comprehension. Without
clear explanation where these passwords came from the natural assumption is
that you did it, and you're warning them as a threat. No that doesn't make
sense but remember who you're talking to.

One more thing:

> the person indicated that they use the same password for everything and
> wanted to know which account had been compromised.

If you answered that, you may just have got social engineered.

------
nly
While I support this valiant effort, aren't there often legal implications to
doing this?

~~~
jakejake
It might be considered spam for one thing. The emails are unsolicited and it
might be seen as a subtle promotion of the urhack project. I'm not sure that
collecting and sending the passwords is illegal but I'm sure that wouldn't
stop some litigious person from causing grief.

~~~
pluma
They're definitely unsolicited. If they are also promotional, that would make
them illegal -- at least in the EU.

------
josu
On a related note, how safe is it to do a Google search of your password?

~~~
knd775
This is actually a really interesting idea. I'd love to know how possible it
would be for someone to scrape recent google searches, somehow. I'd think it
would be relatively safe, but I'm still hesitant.

------
dalerus
Did you track open rates? I would be curious to see what those numbers look
like.

~~~
mfoy_
Is there any reliable way to do this? Most mail clients will block receipt-
type stuff by default...

~~~
mason240
I believe the trick is to put a hidden, 1px image in the email. Then you can
track how many times it was requested.

~~~
semi-extrinsic
Assuming people read their email in HTML and has their email client
set/defaulting to automatically requesting external content. Sure, for a large
sample from non-technical audience such as here it's probably a good
assumption, but it may not be for e.g. a small sample from a tech-savvy
audience.

~~~
hobarrera
Most modern email clients (and webmail clients, and smartphone clients) hide
webbugs by default, so the 1px image technique won't work.

This'll only work on very very old desktop clients, or users that actually
click the "show images" button.

------
supster
This is awesome, very nice of you. Many thanks to you!

------
BorisMelnik
The database error is such a touche right now in this post :)

