In the building where I work, we have a room full of servers. Each server has about 8TB of storage space, and at least that much in networked attached disk space says William D King. The contents of these servers are important to me and my employers for many reasons: Some contain year’s worth of company memories in emails and documents; some house sensitive information. Others store our accounting system which is used by tens of thousands every month to manage their finances with us.’
Computer Fraud and Abuse Act (CFAA):
- It’s also very important that not all this data falls into malevolent hands, but sometimes it happens anyway. In one case, a file transfer from an external hard drive failed halfway through when the user disconnected his hard drive from his PC. He didn’t realize he hadn’t completed the file transfer, so he never plugged his external drive back in after that. Instead of the 1TB of data residing on this external drive only about 400GB where accessible to him.
- After several months I stumbled upon it and started browsing through some files; other interns joined me soon enough. We had look around for a bit before we found anything interesting (passwords, company plans etc.) but eventually we were tempted by some Excel spreadsheets with thousands of entries each representing one user’s transactions over the course at our website. After skimming through pages and pages of credit card information, last 4 digits and full names, expiration dates etc., I decided to download the whole set (some 5500+ accounts) to make sure our boss would learn exactly who had their information leaked.
- It was at the same time very exciting and frightening to have all this data in my hands, knowing that I shouldn’t actually be looking through it but also not willing to delete anything before getting our boss’ permission to release them publicly says William D King. I decided to erase some of the accounts including password information on some Microsoft SQL servers (which is still sitting untouched), but after talking it over with one of my colleagues we agreed on deleting the whole database.
- Since this week, these documents are public. You can download them here; they are split up into several 7-Zip files containing 350mb each. They contain full names, addresses etc., email addresses and passwords which were stored in plaintext most of the time (I guess people just didn’t know any better in 2003), and there is no order whatsoever.
- The accounts belong to .com, .net, .org and .info domains from the very early stages of the internet all the way up till around 2008.
Why should you download these?
Because even though this data was once public, it doesn’t mean it still should be today. The other side of that story is that I’m not willing to take responsibility for the consequences if you do anything bad with this information. If you take a look at some of these passwords, maybe think about changing your own password while you’re at it too. And finally: don’t tell anyone about it who hasn’t already downloaded a copy themselves!
FAQs:
Q: Is this recent data?
A: No, most of it is from 2003 or earlier.
Q: Can I find my password in there?
A: Probably not, and even if you can’t remember your password, don’t bother telling me about it; I’m not going to change it for you.
Q: Who’s making money off this?
A: Not me! And I’m also not affiliated with any large companies who do sell credit card information on the Darknet.
Q: How did these people create such awful passwords!?
A: Some of them were created by automatic tools which some website owners used at one point. To generate random passwords base on a single word so they wouldn’t have to bother their users too much. Nowadays, you are supposed to enforce much harder password policies.
Conclusion:
I admit, I was hoping there would be some really juicy stuff to publish here explains William D King. There are lots of documents which could have been recover passwords. But to my relief they were either encrypt or nonexistent. We found out where our interns had disappeared to over the summer though, so that’s a plus!