Security Researcher Publishes 10 Million Passwords Alongside Usernames

A security researcher has revealed a random sampling of dumps consisting of 10 million passwords alongside usernames. Notably, the researcher claims that the dumped passwords were sourced from websites like haveibeenpwned and pwnedlist where users can check and be notified if their own accounts have been compromised.

Mark Burnett earlier this week in a blog titled "Today I am releasing ten million passwords" gave reasons why he published the article and also explained that "a carefully-selected set of data provides great insight into user behaviour and is valuable for furthering password security."

(Also see: 4 simple tips to keep your online accounts secure)

Burnett further claimed that posted passwords are "dead passwords" and added they "cannot be defined as authentication features because dead passwords will not allow you to authenticate."

Explaining his reasons to release the large number of passwords and usernames to the public domain, Burnett wrote, "Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behaviour and is valuable for furthering password security. So I built a data set of ten million usernames and passwords that I am releasing to the public domain."

Burnett in his detailed blog had to give several reasons to suggest that leaked passwords posted are just for research purpose and is not intended to harm anyone. He adds, "I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment. I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me."

Additionally, BGR points out that a site created based on the data released by Burnett is live and allow anyone to check whether their accounts have been compromised. The website, named Rehmann, searches the usernames and passwords based on partial search terms. Users can visit to site to ensure their passwords are not part of the list.

Burnett in his final note adds that the shared list includes just a sampling and cannot guarantee anyone that if the password is not in the shared list - is safe. "Be aware that if your password is not on this list that means nothing. This is a random sampling of thousands of dumps consisting of upwards to a billion passwords," he notes.