
The best site to find password leaks: Google - dendory
http://www.google.com/search?q=filetype:sql+password+123456+gmail&hl=en&tbo=1&output=search&source=lnt&tbs=rltm:1&sa=X&bav=on.2,or.r_gc.r_pw.&biw=1440&bih=819
======
oasisbob
Johnny (& others) have been doing this type of thing for years. The classic
collection is here: <http://johnny.ihackstuff.com/ghdb/>

------
gtank
Similar, and interesting in the context of LulzSec releases, is @PastebinLeaks
on Twitter. It scans Pastebin for a variety of things (mail address lists, PGP
keys, SQL dumps, and router configuration files have all popped up so far).
They're not 100% - especially the mail/password dump detection - but it's
definitely catching stuff.

<http://twitter.com/#!/PastebinLeaks>

~~~
beaumartinez
These kind of tools cause more harm than good.

~~~
kungfooey
That's balderdash. These kinds of tools raise awareness of the issue,
hopefully making more people think twice about posting private data to a
public place. If they continue to be unaware of the danger of doing so, then
it is simply exploited silently and everyone wonders how it happened.

Your statement assumes that security through obscurity is a good thing.

~~~
pavel_lishin
At this point, you're both right - exposing these things to a massive audience
just increases the number of potential attackers.

Someone ought to write a tool that follows this account, and e-mails people
warning them that their e-mail has been compromised.

The hard part would be explaining what happened, how to verify it, and how to
fix it to random strangers without convincing them that you're the one who
just tried to steal their life savings.

~~~
jpulgarin
www.hacknotifier.com does this (disclaimer: I started it) - but it requires
the user to subscribe to our service. Unfortunately, cold emailing them (which
we considered), would be considered spam.

------
andrewcooke
i just created a google alert for my email + "filetype:sql".
<http://www.google.com/alerts> \- might as well make this work for me...

~~~
JonnieCache
This is a great idea. Unfortunately pastebin and sites like it are generally
not indexed by google.

~~~
pavel_lishin
Crawling pastebin is trivial - there was an HN story on it awhile ago, and I
wrote my own from scratch as an exercise. Perhaps we should suggest this to
the guy behind <https://shouldichangemypassword.com/>

------
phn
Well, it is the best site to find almost anything, so why not passwords? :)

Honestly though, google shouldn't even have to worry about these things, their
mission is to organize data on the web. If it is there, it should be
searchable.

------
eLobato
Google hacking is truly awesome and powerful. In fact there is some pro
material already on the web such as <http://johnny.ihackstuff.com/ghdb/>

There is also a pretty good book from a spanish Microsoft MVP (yeah it sounds
bad but still its an important award, :\\)

[http://www.informatica64.com/libros.aspx?id=hackingBuscadore...](http://www.informatica64.com/libros.aspx?id=hackingBuscadores)

It's a shame they decided not to translate it, anyone is up to it here? It
contains everything that you'd ever wonder and much more.

~~~
Tiomaidh
Here's the teaser from the link. I don't own the book and thus have nothing
else to translate.

Title: Search Engine Hacking with Google, Bing & Shodan Author: Enrique Rando

Pages: 272

Price: 20 Euros + Shipping (includes IVA)

Though it's been 2500 years since Sun Tzu wrote "The Art of War", many of his
lessons remain relevant. His teaching contains several passages that seem
especially suitable for people who work in Information Security:

* "Those who disable foreign armies without combat are the best teachers of the Art of War."

* "Before you fight, first learn the skills of the enemy's workers, and then fight them according to their weaknesses."

* "When you can perceive subtlety, winning is easy."

Without a doubt, this information is key in preparing for attempted security
breaches. Without it, determining what to attack and how to do it is
impossible. Search engines have become important tools for collecting data and
other intelligence. However, despite Google hacking's many years of use, its
techniques have perhaps not always been well-treated or publically shared.

------
dools
How does this actually happen though? Is this simply a case of people leaving
the standard "apache index page" turned on or do this many people actually
publish links to their SQL files someone crawlable?

~~~
damncabbage
Usually a combination of the Apache index pages, dumb server setups, and being
people being lazy, careless and/or forgetful when they dump a database to
disk.

Also, sometimes an index.html file is accidentally removed, causing (brain-
dead installs) to suddenly reveal the contents of a directory, eg.
<http://shahinfosoft.com/>

------
runjake
Welcome to 2005. Hopefully this isn't new to the rest of you.

As someone else mentioned, Johnny posted articles on this years ago. But, he
merely popularized it, Google hacking was around long before him.

See also: filetype:mdb, filetype:xls, "ssn" and so on.

For music, try: metallica filetype:mp3 For books, try: oreilly filetype:epub
(or whatever)

~~~
m8urn
What's really the interesting story is that it isn't 2005 and yet this stuff
still works.

------
tibbon
And even if its hashed, there's public databases resolving those:
<http://hashash.in/>

~~~
pavel_lishin
This is only good for unsalted hashes, which hopefully are on the decline.

------
rakkhi
Also: <https://shouldichangemypassword.com/>

~~~
philjackson
I tried "hello" and "god" and both are safe, apparently.

~~~
bjarnidg
use your email address.

~~~
philjackson
I was joking. Not very funny, I admit...

------
tzury
it nice how a screenshot from a groupon post made it into a new thread on HN

see the on at <http://news.ycombinator.com/item?id=2704359>

------
etruong42
And now for porn:

[http://www.google.com/search?hl=en&tbo=1&biw=1315...](http://www.google.com/search?hl=en&tbo=1&biw=1315&bih=929&tbs=rltm%3A1&q=http%3A%2F%2F*%3A*%40members.bangbros.com&aq=f&aqi=&aql=&oq=)

(SFW-ish; no images, just links to really sleazy websites)

------
namank
C'mon! Mistakes happen, sure. But a correctly written robots.txt would prevent
this

------
PartyDawg
It's a shame these companies are so cheap that they don't hire real
developers.

~~~
peterwwillis
You think Fortune 500 companies don't hire complete idiots too? They just have
5 extra people for every 1 developer to double check whether or not the
developer did something stupid, test the site for obvious vulns, etc.

------
meric
Remember to turn on private browsing.

~~~
isani
Private browsing isn't going to help with sites that publish their databases
in plaintext, as in the link.

~~~
meric
Your browsing history will show your passwords that you searched for to people
who use your computer. Also, next time you google search when logged on your
password might also show as a suggestion.

Otherwise a password-not-yet-leaked will no longer be. If you didn't turn on
private browsing as I suggested and are using Safari, type the password you
searched for in your URL bar now and you will see why I said what I said.

~~~
pavel_lishin
Why would you search for your passwords at all, then? Wouldn't it make more
sense to search for your email and username?

And for that matter, why do you have so few that you can easily google for
them instead of generating random ones per site?

(Fun fact, googling for your e-mail address reveals a hash of your password on
MtGox.)

~~~
meric
Maybe someone was like me and they didn't think to not search for their
password which ended up on their browser history. The title had _password
leaks_ in it and that's the first thing I thought of when I got there: "Hey my
MtGox password got leaked lets google it."

For that matter, I have a unique password (with the necessary special
characters) for each account that associates with my identity (Not naming any
examples here), but only several unique passwords for websites I don't intend
to use much e.g. to read newspapers, and apparently, MtGox.

(Yes, I was searching for my MtGox. password because it was the same password
I used for random throwaway sites. No I never used it, I don't even remember
having confirmed my account there. My asset in bitcoins amount to < $2 USD.)

I still don't understand why all the downvotes. It would've helped me if
someone reminded me not to actually google my password with my browser
watching. Apparently not anyone else.

------
chanux
Downmod me if you feel like, but I genuinely feel bad about HN after seeing
this submission.

edit: definitely downmod to make an example.

~~~
peterwwillis
...why do you feel bad about HN just for exposing terrible security practice?
Hopefully startups get shocked enough by it to tighten up their privacy
policies.

