“I Emailed 97,931 Users Their Passwords”

Nice work! At a glance, the email you sent out does look sort of spammy. If you plan on doing it again you might get better feedback by making it a bit more human - ie "I'm just a guy/gal trying to help yall out - hope you don't use this password everywhere because someone posted it to pastebin.... - have a good one!" or something like that. Out of curiosity - what did you use to scrape pastebin?

Go careful. This is probably against the ToS of whatever internet services you&#x27;re using.<p>&gt; The thank you notes I got were sincere. One of them validated the entire effort when the person indicated that they use the same password for everything and wanted to know which account had been compromised<p>I hope they don&#x27;t only change the password on that one site!

&gt; Including one request to F<i></i>k off.<p>If someone had just sent me an email letting me know that my email and password are out there in the wild, &quot;fuck off&quot; would not be my first reaction. That&#x27;s just rude.

cached version -&gt; <a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:tQP6ur9of4IJ:atechdad.com&#x2F;i-emailed-97931-users-their-passwords&#x2F;+&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=us" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:tQP6ur9...</a>

This is a pretty useful service. I do check sites tracking these compromises on occasion, and I know at least one password I used before has been compromised, but it wasn&#x27;t one I&#x27;d used in years.<p>My biggest concern is that your subject line sounds like plenty of spam&#x2F;phishing emails, and your URL may get blacklisted by email services if you do this often enough.<p>From a slightly higher effort standpoint, you might be able to work with major email service providers to ship these notifications to users in a more official capacity.

This is a cute experiment, but unfortunately the integrity of the service is is easily corrupted.<p>The biggest problem is being prone to misinformation. There&#x27;s nothing to prevent people from posting arbitrary e-mail lists to pastebin, with purported matching passwords, as an effort to provoke your service to cry wolf.<p>A few suggestions to harden the service:<p>- provide integrity when sending the message by including a PGP signature. what&#x27;s to stop someone from running an e-mail server and spamming mass e-mail lists with message headers that spoof your mail domain, and proclaim bogus security lapses?<p>- in general, e-mail itself is not assuredly secure. sending people an e-mail is not enough, since the message might be intercepted as plaintext, and altered in transit. furthermore, those intercepting the e-mail might scoop up credentials and use them. if your service is a reliable source of working credentials, who better to attack? maybe you risk making the problem worse?<p>- consider hosting a secure web page over SSL, and mail links to your site. if your service gains a positive reputation, users might be able to acknowledge past leaks, but elect to receive further notices if other leaks recur elsewhere. maybe users can see links to the source someone is using to post their info, and whether the situation has been remedied by a take-down. this might be a questionable activity: if you send people to that same breach, will they look at the same list and abuse other users on the list? but what better way to demonstrate the breach?<p>- provide a means to verify the level exposure. what if someone&#x27;s account was listed for 24 hours, and then the leak was taken down. they might still wish to know they were exposed, so they can take action. also, is the resource you&#x27;re linking to confirmed as related to a known&#x2F;verified data breach? who confirmed that this was a real breach of security? are you a first responder to the leak? has the leak been responsibly disclosed to the providers of the accounts tied to the leaked passwords?

Beautiful effort, nice work!<p>If you&#x27;re going to continue doing this, you might want to take a look at the message you&#x27;re sending (or have someone else do that for you). Remember that a large segment of your recipients are probably not the most tech-savvy (or brightest). Do not overestimate random users reading comprehension. Without clear explanation where these passwords came from the natural assumption is that you did it, and you&#x27;re warning them as a threat. No that doesn&#x27;t make sense but remember who you&#x27;re talking to.<p>One more thing:<p>&gt; the person indicated that they use the same password for everything and wanted to know which account had been compromised.<p>If you answered that, you may just have got social engineered.

While I support this valiant effort, aren&#x27;t there often legal implications to doing this?

On a related note, how safe is it to do a Google search of your password?

Did you track open rates? I would be curious to see what those numbers look like.

This is awesome, very nice of you. Many thanks to you!

The database error is such a touche right now in this post :)