

Ask HN: I found a way to find thousands of emails/pwds. Now what? - bubblicious

While doing a bit of research for a blog article, I created a way to find thousands of new valid emails &#x2F; passwords every day. The method I used and the scripts I wrote are actually very basic and common sense, and mostly rely on the fact that there is an easy way to find passwords that are poorly chosen. Now I am a bit torn about what to do. In a sense I would like to warn people (even though those warnings have already been said thousands of times) about this whole thing. But on another hand, putting out that information to the public would only be detrimental to all those people whose credentials would all of a sudden be out in the open for everyone to abuse. There is also the legal issue and I am in no way trying to get close to doing something stupid. Also this is not a case where I can issue a responsible disclosure as the information is found through 1&#x2F; weak passwords by random people, 2&#x2F; weak encryption by random organizations. Should I just let the whole thing go and concentrate on something else? Please advise. Thanks.
======
zeeed
First of all: congrats for finding it and kudos for asking for advice on how
to deal with the issue.

If your doubtful about what way of disclosure would be the most prudent (and
you sure don't want the disclosure to backfire on yourself) get in touch with
someone who's bigger and has lawyers backing you up (like the EFF but that's
just the first idea that popped into my mind, any tech news site might even
pay you for exclusive coverage)

~~~
bubblicious
Thanks i'll see what I can find in the morning.

------
jumasheff
This is a great start-up idea, no? Your service shoots some kind of
notifications (read, emails) to the owners of the accounts with poor
passwords. When you are sure your emails are read, you start appending ads to
your notifications :)

~~~
bubblicious
well i did think about automating email notifications to warn users (but
nothing ad-related though :). i'm not sure i wouldn't end up in the spam
folder every time though!

~~~
tonteldoos
I think a lot of users is and always will be clueless. Back in the days of
dialup, with some ISPs it wasn't uncommon for those machines to be directly
connected to the internet (rather than through a NATting router). It was
AMAZING the stuff you could find by looking for (example) \users, or
\documents.

------
tonteldoos
Where are you mining these passwords from? Private intranets? Cloud services?

~~~
bubblicious
New indexed files by google every day.

~~~
tonteldoos
I think you gave the game away right there. From an ethical point of view, if
you can index these files, you can also automate contacting the site owners.
Yes, users should use better passwords, but there is also an onus on system
admins to at least TRY and keep information secure.

~~~
tonteldoos
You might have to be somewhat selective though. Don't tell them that you can
or have mined the passwords (some of them might decide that you 'hacked'
them). Maybe point out that potentially sensitive files are popping up on
google, and try and look as dumb as possible. Don't let on that you're
automating this in any way. Having said that, I'm sure that there will be a
number of admins and users that will be extremely grateful for this!

I've sent similar emails in the past, and where you don't always get a reply
spouting thanks (or a reply at all), you will likely notice the file not being
available anymore.

~~~
tonteldoos
It depends on how much effort you want to go through. You could do a whois on
the IP/domain, and contact the registered owner (if the information is
available).

