Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: I found a way to find thousands of emails/pwds. Now what?
16 points by bubblicious on Aug 11, 2014 | hide | past | favorite | 14 comments
While doing a bit of research for a blog article, I created a way to find thousands of new valid emails / passwords every day. The method I used and the scripts I wrote are actually very basic and common sense, and mostly rely on the fact that there is an easy way to find passwords that are poorly chosen. Now I am a bit torn about what to do. In a sense I would like to warn people (even though those warnings have already been said thousands of times) about this whole thing. But on another hand, putting out that information to the public would only be detrimental to all those people whose credentials would all of a sudden be out in the open for everyone to abuse. There is also the legal issue and I am in no way trying to get close to doing something stupid. Also this is not a case where I can issue a responsible disclosure as the information is found through 1/ weak passwords by random people, 2/ weak encryption by random organizations. Should I just let the whole thing go and concentrate on something else? Please advise. Thanks.


First of all: congrats for finding it and kudos for asking for advice on how to deal with the issue.

If your doubtful about what way of disclosure would be the most prudent (and you sure don't want the disclosure to backfire on yourself) get in touch with someone who's bigger and has lawyers backing you up (like the EFF but that's just the first idea that popped into my mind, any tech news site might even pay you for exclusive coverage)


Thanks i'll see what I can find in the morning.


This is a great start-up idea, no? Your service shoots some kind of notifications (read, emails) to the owners of the accounts with poor passwords. When you are sure your emails are read, you start appending ads to your notifications :)


Said notification will most likely go to spam or go unread, with a large percentage of the remainder causing misdirected anger at you for "hacking" their systems.

Even the most tech-savvy will probably be inclined to dismiss your notification as the ravings of some random script-kiddy.


well i did think about automating email notifications to warn users (but nothing ad-related though :). i'm not sure i wouldn't end up in the spam folder every time though!


I think a lot of users is and always will be clueless. Back in the days of dialup, with some ISPs it wasn't uncommon for those machines to be directly connected to the internet (rather than through a NATting router). It was AMAZING the stuff you could find by looking for (example) \users, or \documents.


Where are you mining these passwords from? Private intranets? Cloud services?


New indexed files by google every day.


I think you gave the game away right there. From an ethical point of view, if you can index these files, you can also automate contacting the site owners. Yes, users should use better passwords, but there is also an onus on system admins to at least TRY and keep information secure.


You might have to be somewhat selective though. Don't tell them that you can or have mined the passwords (some of them might decide that you 'hacked' them). Maybe point out that potentially sensitive files are popping up on google, and try and look as dumb as possible. Don't let on that you're automating this in any way. Having said that, I'm sure that there will be a number of admins and users that will be extremely grateful for this!

I've sent similar emails in the past, and where you don't always get a reply spouting thanks (or a reply at all), you will likely notice the file not being available anymore.


It depends on how much effort you want to go through. You could do a whois on the IP/domain, and contact the registered owner (if the information is available).


That sounds like a good idea. How would you deal with files indexed on places where there is no organization behind?


Yep, well like I said it's no huge secret and the code I wrote is really basic. So you think the only thing I should do is just automate contacting the site owners with the link to the sensible files that have been indexed?


ahh the good old looking for config.php etc trick




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: