The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

I Emailed 97,931 Users Their Passwords · atechdad

I Emailed 97,931 Users Their Passwords

23 Jun 2015

Hey all-

I run across lots ofpasswords on the webs. Passwords to bank accounts, Netflix accounts, email accounts- you name it. Pastebin and its clones are very popular repositories for this kind of information.

Now, there are a couple of solutions a person can use to collect this password data. Not all of them are malicious.

Some of these scripts are often used to alert a person when one of their own accounts are compromised as a kind of canary.Ive seen various services where a person can opt-in to be notified if one of their accounts hasbeen compromised. A Canary As A Service if you will. I can see two issues with this:

  1. Most users have no idea these services exist.
  2. Many users are wary of sending the information they care most about to another online service.


I wondered what would happen if I just emailed this information to the people who owned it. Instead of asking people to opt-in I could offer them the chance to opt-out.

The Plan

I decided to do this as part of and call it canaryRobin(the reasoning behind this change is there). I set up the email and a reply address to offer peoplea chance to unsubscribe. I even set up a PayPaldonation button. I didnt expect anything in return, but thought , Why not? five dollars would cover the VPS time.


For 3 days, I scraped Pastebinlooking for email address/password combinations.This seemed to be the easiest target sinceit was the most active. After removing the garbage, I was left with over 97,000email:password combinations.


On May 19th 2015, I sentout the emails. I could have waited for more, but this was only an experiment and honestlyI was getting impatient.

The Message

I tried to keep the message simple:


Overall I consider this experimenta success. I hopethat manypeople were helped and didnot reply instead of ignoring or losing the email to spam filters.

My next list has been running since May 19th.My current count has around 300k accounts.

Imight just do this again.

Continue reading on