While doing a bit of research for a blog article, I created a way to find thousands of new valid emails / passwords every day. The method I used and the scripts I wrote are actually very basic and common sense, and mostly rely on the fact that there is an easy way to find passwords that are poorly chosen. Now I am a bit torn about what to do. In a sense I would like to warn people (even though those warnings have already been said thousands of times) about this whole thing. But on another hand, putting out that information to the public would only be detrimental to all those people whose credentials would all of a sudden be out in the open for everyone to abuse. There is also the legal issue and I am in no way trying to get close to doing something stupid. Also this is not a case where I can issue a responsible disclosure as the information is found through 1/ weak passwords by random people, 2/ weak encryption by random organizations. Should I just let the whole thing go and concentrate on something else? Please advise. Thanks.
First of all: congrats for finding it and kudos for asking for advice on how to deal with the issue.<p>If your doubtful about what way of disclosure would be the most prudent (and you sure don't want the disclosure to backfire on yourself) get in touch with someone who's bigger and has lawyers backing you up (like the EFF but that's just the first idea that popped into my mind, any tech news site might even pay you for exclusive coverage)
This is a great start-up idea, no? Your service shoots some kind of notifications (read, emails) to the owners of the accounts with poor passwords.
When you are sure your emails are read, you start appending ads to your notifications :)