Nice work! At a glance, the email you sent out does look sort of spammy. If you plan on doing it again you might get better feedback by making it a bit more human - ie "I'm just a guy/gal trying to help yall out - hope you don't use this password everywhere because someone posted it to pastebin.... - have a good one!" or something like that. Out of curiosity - what did you use to scrape pastebin?
That's a good idea. I will give that a shot. To scrape pastebin I used a mutated version of a python script by Xavier Garcia. The only change I made was to save a copy of the paste.
The version I adapted is located here: http://www.shellguardians.com/2011/07/monitoring-pastebin-le...
I created a Twitter bot called @dumpmon (recently suspended for no apparent reason) that scraped paste sites looking for password dumps and tweeting if one was found.
This is a pretty useful service. I do check sites tracking these compromises on occasion, and I know at least one password I used before has been compromised, but it wasn't one I'd used in years.
My biggest concern is that your subject line sounds like plenty of spam/phishing emails, and your URL may get blacklisted by email services if you do this often enough.
From a slightly higher effort standpoint, you might be able to work with major email service providers to ship these notifications to users in a more official capacity.
The problem isn't that the subject line sounds spammy, it's that the spam mails try to sound legitimate. This may in turn create problems for actually legit messages.
Maybe putting the scraped password in the subject line catches the recipients' attention.
That would probably help. "Your password, xxxx, has been compromised." Even if they think it's spam, they should immediately realize they do need to change their password.
Password is already compromised, so this is a worthless step. And only seeing part of the password may cause them to think it's largely still secure or something. (Some people don't understand wildcards.)
Since their password is already compromised publicly on the Internet, it's silly to worry about shoulder-surfing. In fact, if someone shoulder-surfs, and sees the password, the user is even more encouraged to CHANGE it.
It might be considered spam for one thing. The emails are unsolicited and it might be seen as a subtle promotion of the urhack project. I'm not sure that collecting and sending the passwords is illegal but I'm sure that wouldn't stop some litigious person from causing grief.
It's very weird. It looks good to me, but I do see half of the hits are coming in from a cached version. I'll have to prepare better if I'm to post another article and not melt down.
If someone had just sent me an email letting me know that my email and password are out there in the wild, "fuck off" would not be my first reaction. That's just rude.
Really? Do people seriously have this notion? Yes, sending actual spam is rude. But an unsolicited automated email can easily be deleted, especially if it's one time. I would never associate "rude" with that, maybe "annoying" at worst.
Another thing to consider, these emails were also sent as a way to educate people about web security. I am not surprised that unsolicited automated emails to educate oneself are considered rude by some people.
Well, it really depends on one's definition of spam. I personally consider emails that are bulk and unsolicited, but provide some sort of actual information or help to not be "spam" but instead just call it what it is, a bulk, unsolicited email. To move it over to the spam category, I also would require it not be at all useful to me. Of course, that's just me, which is why I asked the question.
> If someone had just sent me an email letting me know that my email and password are out there in the wild, "fuck off" would not be my first reaction. That's just rude.
Really? This guy emailed 97,000 people and you're just going to assume they're all just like you? :)
In this list, with near certainty there will be all of the following: children, teenagers, people having a really really shitty day, dogs, criminals, mentally ill, and possibly indeed also a few who are "just rude" ...
Frankly it surprises me he only got one "fuck off" reply.
> Gmail automatically shows you the images in your messages
It does have an option to turn it off, but the default is on. They will load up the image themselves, then serve it from their domain, but, as the help information shows, that still indicates an "open", it's just that all the information on who opened the email (IP address, etc) would be wrong.
Yep, we're on the same page. The wording they use is "In some cases, senders may be able to know whether an individual has opened a message with unique image links." but I'd expect the tracking URLs themselves to be unique (most are, they are tied to an email so they know who opened the email and who didn't) so they would most likely bypass this cache. I expect the "some cases" refers to the ones where it simply gives you a count of people who opened your email, and does it by simply having a generic tracking URL.
D'oh, thanks for the correction! I knew about their caching mechanism, but failed to realize that it wouldn't prevent this sort of tracking pixel from working due to the pixel URL being unique (in most cases).
Assuming people read their email in HTML and has their email client set/defaulting to automatically requesting external content. Sure, for a large sample from non-technical audience such as here it's probably a good assumption, but it may not be for e.g. a small sample from a tech-savvy audience.
I'm familiar with the tracking image "trick" but I assumed most email clients wouldn't load those by default. The other comments seem to indicate I was wrong. :(
Go careful. This is probably against the ToS of whatever internet services you're using.
> The thank you notes I got were sincere. One of them validated the entire effort when the person indicated that they use the same password for everything and wanted to know which account had been compromised
I hope they don't only change the password on that one site!
This is a cute experiment, but unfortunately the integrity of the service is is easily corrupted.
The biggest problem is being prone to misinformation. There's nothing to prevent people from posting arbitrary e-mail lists to pastebin, with purported matching passwords, as an effort to provoke your service to cry wolf.
A few suggestions to harden the service:
- provide integrity when sending the message by including a PGP signature. what's to stop someone from running an e-mail server and spamming mass e-mail lists with message headers that spoof your mail domain, and proclaim bogus security lapses?
- in general, e-mail itself is not assuredly secure. sending people an e-mail is not enough, since the message might be intercepted as plaintext, and altered in transit. furthermore, those intercepting the e-mail might scoop up credentials and use them. if your service is a reliable source of working credentials, who better to attack? maybe you risk making the problem worse?
- consider hosting a secure web page over SSL, and mail links to your site. if your service gains a positive reputation, users might be able to acknowledge past leaks, but elect to receive further notices if other leaks recur elsewhere. maybe users can see links to the source someone is using to post their info, and whether the situation has been remedied by a take-down. this might be a questionable activity: if you send people to that same breach, will they look at the same list and abuse other users on the list? but what better way to demonstrate the breach?
- provide a means to verify the level exposure. what if someone's account was listed for 24 hours, and then the leak was taken down. they might still wish to know they were exposed, so they can take action. also, is the resource you're linking to confirmed as related to a known/verified data breach? who confirmed that this was a real breach of security? are you a first responder to the leak? has the leak been responsibly disclosed to the providers of the accounts tied to the leaked passwords?
> - provide integrity when sending the message by including a PGP signature. what's to stop someone from running an e-mail server and spamming mass e-mail lists with message headers that spoof your mail domain, and proclaim bogus security lapses?
This is a good point, but wouldn't use of SPF/DKIM solve this too? I think email servers are able to understand the SPF records and DKIM-Signature header and hence more accurately classify the emails as spam (if appropriate) which seems like a useful benefit.
These are very good points.
1. Good idea
2. Good point, however, these credentials are usually already posted in public forums. My thoughts were that the risk was already present-- and the person who potentially didn't know was the user.
3. I am patiently waiting on let's encrypt. As a side project with no income, I cannot justify the cost of a certificate.
4. I found based on some responses that some of the credentials were old. It was not my intention to verify exposure, but let the user know that I found a password. If the person recognizes it for any account, change it.
I don't know if this is a service that can be maintained for any period of time, but hopefully the unexpected emails helped someone before the service could be abused.
One way to mitigate risk could be to only send the first/last half of the password and replace the rest with asterisks. It would reduce the number of people caring though.
I have looked at StartSSL when I registered my domain. I was turned off when I was told my domain wasn't old enough. I understand why-- I just decided to wait then.
That's true. I would need to refine my regex. I guess anyone with a password that contains http:// or <script> or some other nastiness would be SOL. :)
This is actually a really interesting idea. I'd love to know how possible it would be for someone to scrape recent google searches, somehow. I'd think it would be relatively safe, but I'm still hesitant.
If you're going to continue doing this, you might want to take a look at the message you're sending (or have someone else do that for you). Remember that a large segment of your recipients are probably not the most tech-savvy (or brightest). Do not overestimate random users reading comprehension. Without clear explanation where these passwords came from the natural assumption is that you did it, and you're warning them as a threat. No that doesn't make sense but remember who you're talking to.
One more thing:
> the person indicated that they use the same password for everything and wanted to know which account had been compromised.
If you answered that, you may just have got social engineered.
71 comments
[ 3.3 ms ] story [ 164 ms ] threadYou can find the code here: http://github.com/jordan-wright/dumpmon.
Here are some stats if anyone is interested in what it collected over approx. 2 years: http://jordan-wright.com/blog/2015/05/26/two-years-of-at-dum...
Glad to see dumpmon is still going strong :)
Took much inspiration from dumpmon, but distributed it so users can choose their own sensitivity settings.
My biggest concern is that your subject line sounds like plenty of spam/phishing emails, and your URL may get blacklisted by email services if you do this often enough.
From a slightly higher effort standpoint, you might be able to work with major email service providers to ship these notifications to users in a more official capacity.
Maybe putting the scraped password in the subject line catches the recipients' attention.
Sorry about that.
If someone had just sent me an email letting me know that my email and password are out there in the wild, "fuck off" would not be my first reaction. That's just rude.
Unsolicited automated email = Spam.
Unsolicited semi-automated (i.e. fill in the blanks) email = Spam.
Unsolicited personal email actually written by a human = OK.
Followup to unsolicited email because I didn't reply to the first one = Very rude. Instant blacklist of sender.
Also for ref: http://dontevenreply.com/view.php?post=99
Really? This guy emailed 97,000 people and you're just going to assume they're all just like you? :)
In this list, with near certainty there will be all of the following: children, teenagers, people having a really really shitty day, dogs, criminals, mentally ill, and possibly indeed also a few who are "just rude" ...
Frankly it surprises me he only got one "fuck off" reply.
> Gmail automatically shows you the images in your messages
It does have an option to turn it off, but the default is on. They will load up the image themselves, then serve it from their domain, but, as the help information shows, that still indicates an "open", it's just that all the information on who opened the email (IP address, etc) would be wrong.
One source: http://arstechnica.com/information-technology/2013/12/gmail-...
EDIT: I get what you're saying. I guess the count would depend on how long Google caches that image- or do they load it on a per email basis?
This'll only work on very very old desktop clients, or users that actually click the "show images" button.
> The thank you notes I got were sincere. One of them validated the entire effort when the person indicated that they use the same password for everything and wanted to know which account had been compromised
I hope they don't only change the password on that one site!
The biggest problem is being prone to misinformation. There's nothing to prevent people from posting arbitrary e-mail lists to pastebin, with purported matching passwords, as an effort to provoke your service to cry wolf.
A few suggestions to harden the service:
- provide integrity when sending the message by including a PGP signature. what's to stop someone from running an e-mail server and spamming mass e-mail lists with message headers that spoof your mail domain, and proclaim bogus security lapses?
- in general, e-mail itself is not assuredly secure. sending people an e-mail is not enough, since the message might be intercepted as plaintext, and altered in transit. furthermore, those intercepting the e-mail might scoop up credentials and use them. if your service is a reliable source of working credentials, who better to attack? maybe you risk making the problem worse?
- consider hosting a secure web page over SSL, and mail links to your site. if your service gains a positive reputation, users might be able to acknowledge past leaks, but elect to receive further notices if other leaks recur elsewhere. maybe users can see links to the source someone is using to post their info, and whether the situation has been remedied by a take-down. this might be a questionable activity: if you send people to that same breach, will they look at the same list and abuse other users on the list? but what better way to demonstrate the breach?
- provide a means to verify the level exposure. what if someone's account was listed for 24 hours, and then the leak was taken down. they might still wish to know they were exposed, so they can take action. also, is the resource you're linking to confirmed as related to a known/verified data breach? who confirmed that this was a real breach of security? are you a first responder to the leak? has the leak been responsibly disclosed to the providers of the accounts tied to the leaked passwords?
This is a good point, but wouldn't use of SPF/DKIM solve this too? I think email servers are able to understand the SPF records and DKIM-Signature header and hence more accurately classify the emails as spam (if appropriate) which seems like a useful benefit.
I don't know if this is a service that can be maintained for any period of time, but hopefully the unexpected emails helped someone before the service could be abused.
Your password is: xttp://someporn.site.the/spammer_wants_you_to_visit
If you're going to continue doing this, you might want to take a look at the message you're sending (or have someone else do that for you). Remember that a large segment of your recipients are probably not the most tech-savvy (or brightest). Do not overestimate random users reading comprehension. Without clear explanation where these passwords came from the natural assumption is that you did it, and you're warning them as a threat. No that doesn't make sense but remember who you're talking to.
One more thing:
> the person indicated that they use the same password for everything and wanted to know which account had been compromised.
If you answered that, you may just have got social engineered.