9 comments

[ 5.5 ms ] story [ 37.3 ms ] thread
So I tweeted some re-uploaded db links before the one mentioned on that site went down. After looking to see where it spread I found yet another site called Leakedin which automatically parses pastes for potential leaks, it recorded and it made a post here: www.leakedin.com/2012/06/06/potential-leak-of-data-urls-list-315/

When reading the title of this HN post I thought someone spotted the Linkedin leak linked on Leakedin, but nope. :(

Oh well here is some mirrors of mirrors: http://pastie.org/4038632 http://pastebin.com/Phi70Bsj http://safebin.net/7182 http://tinypaste.com/f7db25b2

Don't forget to clean your .bash_history.
... or prefix your commands with whitespace to skip ~/.bash_history altogether.
... or $ unset HISTFILE
or put it in a file so it will never be in ps and use sha1sum < file
or just change your passwords and be done with it.
A couple points here. You can enter the sha1 hash of your password or your password in plaintext. In the latter case the sha1 is calculated on the client (using JS) before being sent to the server.

Now that we got that out of the way the more interesting pattern here is how easily people will put the plaintext password for a specific site into a webpage that sprung up overnight.

* I know Chris Shiflett is at least trusted in the tech community (has written books and talks at conferences, etc) so it's not about trusting the site but the larger social implications of user behavior.

By all means put the whole lot of your accounts passwords into a random website. lets see how things work out for you
Who here didn't do a view source immediately just to make sure nothing was being sent to the server? =)