71 comments

[ 3.3 ms ] story [ 164 ms ] thread
Nice work! At a glance, the email you sent out does look sort of spammy. If you plan on doing it again you might get better feedback by making it a bit more human - ie "I'm just a guy/gal trying to help yall out - hope you don't use this password everywhere because someone posted it to pastebin.... - have a good one!" or something like that. Out of curiosity - what did you use to scrape pastebin?
I created a Twitter bot called @dumpmon (recently suspended for no apparent reason) that scraped paste sites looking for password dumps and tweeting if one was found.

You can find the code here: http://github.com/jordan-wright/dumpmon.

Here are some stats if anyone is interested in what it collected over approx. 2 years: http://jordan-wright.com/blog/2015/05/26/two-years-of-at-dum...

I remember chatting with you a while back as I was also working on a pastebin scraping project. http://github.com/shayanjm/pasteye

Glad to see dumpmon is still going strong :)

It is... just not on Twitter anymore. The account was suspended about a week or two ago and I haven't heard anything back on my appeal from Twitter.
Shameless self-plug - I built a "pastebin scraper as a service" platform, and released it here: https://github.com/shayanjm/pasteye

Took much inspiration from dumpmon, but distributed it so users can choose their own sensitivity settings.

This is a pretty useful service. I do check sites tracking these compromises on occasion, and I know at least one password I used before has been compromised, but it wasn't one I'd used in years.

My biggest concern is that your subject line sounds like plenty of spam/phishing emails, and your URL may get blacklisted by email services if you do this often enough.

From a slightly higher effort standpoint, you might be able to work with major email service providers to ship these notifications to users in a more official capacity.

The problem isn't that the subject line sounds spammy, it's that the spam mails try to sound legitimate. This may in turn create problems for actually legit messages.

Maybe putting the scraped password in the subject line catches the recipients' attention.

That would probably help. "Your password, xxxx, has been compromised." Even if they think it's spam, they should immediately realize they do need to change their password.
That's a good idea. Maybe a subject line like your password p*rd has been compromised.
Password is already compromised, so this is a worthless step. And only seeing part of the password may cause them to think it's largely still secure or something. (Some people don't understand wildcards.)
Good point
Nonono really bad idea, because of shoulder-surfing!
Since their password is already compromised publicly on the Internet, it's silly to worry about shoulder-surfing. In fact, if someone shoulder-surfs, and sees the password, the user is even more encouraged to CHANGE it.
This is awesome, very nice of you. Many thanks to you!
While I support this valiant effort, aren't there often legal implications to doing this?
It might be considered spam for one thing. The emails are unsolicited and it might be seen as a subtle promotion of the urhack project. I'm not sure that collecting and sending the passwords is illegal but I'm sure that wouldn't stop some litigious person from causing grief.
They're definitely unsolicited. If they are also promotional, that would make them illegal -- at least in the EU.
While it may be naive, I was hoping that doing the right thing would prevail. I tried to ease the spam heartburn by offering an option to unsubscribe.
Thanks :) Since it says "Error establishing a database connection", I wonder if someone misused the password of their database?
Naw, that's what happens when WordPress is overtaxed.
Yeah-- I was not expecting this kind of traffic- I am reizing.... the box, hopefully this resolves the issue very soon.
I think scarecrowbob is right, but it would be very ironic if his site's DB pass was compromised ;)
It should be back now- that took much longer than I expected.
Down again for me :( Good news is you're very popular! :D
It's very weird. It looks good to me, but I do see half of the hits are coming in from a cached version. I'll have to prepare better if I'm to post another article and not melt down.
I figured it out. The caching method cached the error page instead of the legitimate page. ><

Sorry about that.

> Including one request to Fk off.

If someone had just sent me an email letting me know that my email and password are out there in the wild, "fuck off" would not be my first reaction. That's just rude.

Sending unsolicited automated emails, even for good, may be considered rude as well.
Really? Do people seriously have this notion? Yes, sending actual spam is rude. But an unsolicited automated email can easily be deleted, especially if it's one time. I would never associate "rude" with that, maybe "annoying" at worst.
For me:

Unsolicited automated email = Spam.

Unsolicited semi-automated (i.e. fill in the blanks) email = Spam.

Unsolicited personal email actually written by a human = OK.

Followup to unsolicited email because I didn't reply to the first one = Very rude. Instant blacklist of sender.

Another thing to consider, these emails were also sent as a way to educate people about web security. I am not surprised that unsolicited automated emails to educate oneself are considered rude by some people.

Also for ref: http://dontevenreply.com/view.php?post=99

But this is actual spam! It's bulk, and unsolicited. The content doesn't matter.
Well, it really depends on one's definition of spam. I personally consider emails that are bulk and unsolicited, but provide some sort of actual information or help to not be "spam" but instead just call it what it is, a bulk, unsolicited email. To move it over to the spam category, I also would require it not be at all useful to me. Of course, that's just me, which is why I asked the question.
Sure, that's one definition. Your definition would get you kicked off many service providers and is illegal in some jurisdictions.
Plus, there was a donation button. A lot of companies are sure you are honestly better off with their services as well.
When you email over 97,000 people at once, you're bound to get some strange responses.
gotta figure out of every 97,000 people one person is probably intoxicated / on bath salts
I would have assumed it was either a spam or a scam and probably sent nothing. If I had sent anything, fuck of wouldn't even part of it though.
Some people use that as an exclamation, like "No way! Fuck off!"
might have been someone who thought it was some sort of phishing-attempt
> If someone had just sent me an email letting me know that my email and password are out there in the wild, "fuck off" would not be my first reaction. That's just rude.

Really? This guy emailed 97,000 people and you're just going to assume they're all just like you? :)

In this list, with near certainty there will be all of the following: children, teenagers, people having a really really shitty day, dogs, criminals, mentally ill, and possibly indeed also a few who are "just rude" ...

Frankly it surprises me he only got one "fuck off" reply.

Did you track open rates? I would be curious to see what those numbers look like.
Is there any reliable way to do this? Most mail clients will block receipt-type stuff by default...
I believe the trick is to put a hidden, 1px image in the email. Then you can track how many times it was requested.
Most reputable email clients won't load remote images in email messages.
How many mail clients load those by default nowadays? Gmail doesn't, Thunderbird doesn't.
Um, Gmail does: https://support.google.com/mail/answer/145919?hl=en

> Gmail automatically shows you the images in your messages

It does have an option to turn it off, but the default is on. They will load up the image themselves, then serve it from their domain, but, as the help information shows, that still indicates an "open", it's just that all the information on who opened the email (IP address, etc) would be wrong.

I believe gmail is caching these images on their own servers.

One source: http://arstechnica.com/information-technology/2013/12/gmail-...

EDIT: I get what you're saying. I guess the count would depend on how long Google caches that image- or do they load it on a per email basis?

Yep, we're on the same page. The wording they use is "In some cases, senders may be able to know whether an individual has opened a message with unique image links." but I'd expect the tracking URLs themselves to be unique (most are, they are tied to an email so they know who opened the email and who didn't) so they would most likely bypass this cache. I expect the "some cases" refers to the ones where it simply gives you a count of people who opened your email, and does it by simply having a generic tracking URL.
D'oh, thanks for the correction! I knew about their caching mechanism, but failed to realize that it wouldn't prevent this sort of tracking pixel from working due to the pixel URL being unique (in most cases).
Assuming people read their email in HTML and has their email client set/defaulting to automatically requesting external content. Sure, for a large sample from non-technical audience such as here it's probably a good assumption, but it may not be for e.g. a small sample from a tech-savvy audience.
Most modern email clients (and webmail clients, and smartphone clients) hide webbugs by default, so the 1px image technique won't work.

This'll only work on very very old desktop clients, or users that actually click the "show images" button.

I'm familiar with the tracking image "trick" but I assumed most email clients wouldn't load those by default. The other comments seem to indicate I was wrong. :(
I thought about this, but I couldn't think of a way to do it reliably without setting of more spam alarms.
The database error is such a touche right now in this post :)
Go careful. This is probably against the ToS of whatever internet services you're using.

> The thank you notes I got were sincere. One of them validated the entire effort when the person indicated that they use the same password for everything and wanted to know which account had been compromised

I hope they don't only change the password on that one site!

This is a cute experiment, but unfortunately the integrity of the service is is easily corrupted.

The biggest problem is being prone to misinformation. There's nothing to prevent people from posting arbitrary e-mail lists to pastebin, with purported matching passwords, as an effort to provoke your service to cry wolf.

A few suggestions to harden the service:

- provide integrity when sending the message by including a PGP signature. what's to stop someone from running an e-mail server and spamming mass e-mail lists with message headers that spoof your mail domain, and proclaim bogus security lapses?

- in general, e-mail itself is not assuredly secure. sending people an e-mail is not enough, since the message might be intercepted as plaintext, and altered in transit. furthermore, those intercepting the e-mail might scoop up credentials and use them. if your service is a reliable source of working credentials, who better to attack? maybe you risk making the problem worse?

- consider hosting a secure web page over SSL, and mail links to your site. if your service gains a positive reputation, users might be able to acknowledge past leaks, but elect to receive further notices if other leaks recur elsewhere. maybe users can see links to the source someone is using to post their info, and whether the situation has been remedied by a take-down. this might be a questionable activity: if you send people to that same breach, will they look at the same list and abuse other users on the list? but what better way to demonstrate the breach?

- provide a means to verify the level exposure. what if someone's account was listed for 24 hours, and then the leak was taken down. they might still wish to know they were exposed, so they can take action. also, is the resource you're linking to confirmed as related to a known/verified data breach? who confirmed that this was a real breach of security? are you a first responder to the leak? has the leak been responsibly disclosed to the providers of the accounts tied to the leaked passwords?

> - provide integrity when sending the message by including a PGP signature. what's to stop someone from running an e-mail server and spamming mass e-mail lists with message headers that spoof your mail domain, and proclaim bogus security lapses?

This is a good point, but wouldn't use of SPF/DKIM solve this too? I think email servers are able to understand the SPF records and DKIM-Signature header and hence more accurately classify the emails as spam (if appropriate) which seems like a useful benefit.

These are very good points. 1. Good idea 2. Good point, however, these credentials are usually already posted in public forums. My thoughts were that the risk was already present-- and the person who potentially didn't know was the user. 3. I am patiently waiting on let's encrypt. As a side project with no income, I cannot justify the cost of a certificate. 4. I found based on some responses that some of the credentials were old. It was not my intention to verify exposure, but let the user know that I found a password. If the person recognizes it for any account, change it.

I don't know if this is a service that can be maintained for any period of time, but hopefully the unexpected emails helped someone before the service could be abused.

One way to mitigate risk could be to only send the first/last half of the password and replace the rest with asterisks. It would reduce the number of people caring though.
While we wait for Let's Encrypt, you can use a free certificate from StartSSL.
I have looked at StartSSL when I registered my domain. I was turned off when I was told my domain wasn't old enough. I understand why-- I just decided to wait then.
> There's nothing to prevent people from posting arbitrary e-mail lists to pastebin, with purported matching passwords

Your password is: xttp://someporn.site.the/spammer_wants_you_to_visit

That's true. I would need to refine my regex. I guess anyone with a password that contains http:// or <script> or some other nastiness would be SOL. :)
On a related note, how safe is it to do a Google search of your password?
This is actually a really interesting idea. I'd love to know how possible it would be for someone to scrape recent google searches, somehow. I'd think it would be relatively safe, but I'm still hesitant.
Beautiful effort, nice work!

If you're going to continue doing this, you might want to take a look at the message you're sending (or have someone else do that for you). Remember that a large segment of your recipients are probably not the most tech-savvy (or brightest). Do not overestimate random users reading comprehension. Without clear explanation where these passwords came from the natural assumption is that you did it, and you're warning them as a threat. No that doesn't make sense but remember who you're talking to.

One more thing:

> the person indicated that they use the same password for everything and wanted to know which account had been compromised.

If you answered that, you may just have got social engineered.