I run across lots ofpasswords on the webs. Passwords to bank accounts, Netflix accounts, email accounts- you name it. Pastebin and its clones are very popular repositories for this kind of information.
Now, there are a couple of solutions a person can use to collect this password data. Not all of them are malicious.
Some of these scripts are often used to alert a person when one of their own accounts are compromised as a kind of canary.Ive seen various services where a person can opt-in to be notified if one of their accounts hasbeen compromised. A Canary As A Service if you will. I can see two issues with this:
I wondered what would happen if I just emailed this information to the people who owned it. Instead of asking people to opt-in I could offer them the chance to opt-out.
I decided to do this as part of urhack.com and call it canaryRobin(the reasoning behind this change is there). I set up the email and a reply address to offer peoplea chance to unsubscribe. I even set up a PayPaldonation button. I didnt expect anything in return, but thought , Why not? five dollars would cover the VPS time.
For 3 days, I scraped Pastebinlooking for email address/password combinations.This seemed to be the easiest target sinceit was the most active. After removing the garbage, I was left with over 97,000email:password combinations.
On May 19th 2015, I sentout the emails. I could have waited for more, but this was only an experiment and honestlyI was getting impatient.
I tried to keep the message simple:
Overall I consider this experimenta success. I hopethat manypeople were helped and didnot reply instead of ignoring or losing the email to spam filters.
My next list has been running since May 19th.My current count has around 300k accounts.
Imight just do this again.