
Redditor finds list of 47k email addresses with passwords - 8ig8
http://www.reddit.com/r/AskReddit/comments/m8uuc/reddit_i_just_came_across_a_list_of_about_47k/
======
karolist
As suggested on reddit, they all might belong to the same spammer. I don't
know about hotmail account creation, but if it's protected by captchas only
spammers have no problems making the accounts. Some captchas can be decoded in
code with high success relatively quickly, others can be fed to mturk style
services.

Google has phone verification now, I guess that's harder to overcome.

~~~
craigmc
You can (or could) buy 'aged' hotmail address for cents - these have never
been used by real users. As for captchas a quick google search will offer up a
heap of solving services, many even with APIs! The only way to protect a
service against spammers or blackhatters is to stop it from being useful to
them in the first place (i.e. don't allow links in profiles, etc. Harder for
services like email which can't really be hobbled to prevent this sort of use
without trashing the key function).

Either through automation software or (as you note) mturk style services,
pretty much any anti-spam defence can be breached.

Presumably if the list of hotmail accounts was just for outbound spamming then
one of the addresses on the list would have been used to send the original
phishing email.

------
powertower
Not a smart thing to do (to log into those accounts).

If you found a bunch of house keys, each one labled with the address of the
house, would you go to each house and open each door? Stepping inside is not
necessary.

That of itself, might not break any laws (without prior warning, or intent to
cause harm, it might not be trespassing), but computer tresspass laws only
require unauthorized access.

~~~
vinhboy
I never like it when people compare the digital world to the real world.

It's like the whole "would you download a pizza" statement.

The answer is always, yes, yes I would.

I hope our politicians and law enforcement officials do not treat the digital
world like its the real world. Things are just not the same... We need
separate rules and separate code of ethics for each.

~~~
code_duck
I consider my email to be like a personal folder, where I have an expectation
of privacy. If I accidentally left my briefcase at your office, I would hope
you wouldn't look through it.

If you found the keys to a room full of filing cabinets with other people's
papers, it wouldn't be right to go open them all. Similarly, if you find a
list of credentials that grant you access to the electronic documents of
others, it's not right to use those credentials. Of course 'downloading a car'
is a terrible metaphor, but comparing electronic documents to printed
documents seems very straightforward.

~~~
__david__
If we're forcing physical metaphors, I think it's more like finding a stack of
47000 briefcases in an alley somewhere. Unattended, no signs or anything.
Opening a bunch of them to just see if people's stolen documents are inside
seems reasonable in that case.

------
TomGullen
Easiest thing would be to send the list to Hotmail

~~~
stfu
Yeah, but logging into half of the accounts first wasn't probably the smartest
idea. Hope he is working from behind a proxy and not getting negative
consequences out of that stupid idea.

~~~
artursapek
I wonder why he felt the need to run it for two hours before deciding the
login combinations were legit.

------
ell
Is there a reason why the list contains Hotmail accounts only? Does this mean
Hotmail users are easier to hack into?

~~~
bbarthel
According to the op he found the site via a phishing email. So likely it was
just a mass mailing to hotmail accounts, or designed to look like it came from
the hotmail team - naturally only Hotmail users would be worried about an
email them.

------
sukuriant
See. I'm torn. I know it's illegal, but if you present the information about
the list to a company (without logging in to the accounts), and they don't
take action, what do you do?

I suppose you could email all of the people on the list, but how effective
would that be?

~~~
pbhjpbhj
You'd probably need a good spamming system to get it past the spam checkers.
They're going to spam-bin short duplicate emails sent to a large multitude of
users I'd expect.

------
nmridul
From the look of it, this need not have to be hacked accounts. Normally
spammers create thousands of accounts on free email services and the bots are
used to auto login and send spams out. Mails sent from hotmail, msn etc has
better chances of reaching your inbox than that sent from custom domains which
could easily end up in spam folders.

The spammers favorites are hotmail and msn as they are easy to create. Gmail
has phone verification and other added stuffs that makes it difficult for bots
to create accounts.

The server that redditer accessed could be the spammer's server where he
stored the user name / passwd in plaintext format for the bots.

------
learc83
I say the chinese government is building a massive list of email password
pairs that they can use down the road.

~~~
chrisdroukas
That's not a reasonable assumption given the data presented.

