Security researcher Mark Burnett recently released a treasure trove of usernames and passwords with reports claiming about 10 million combinations in total. According to Burnett the passwords and usernames that he released were all gathered from open websites and most of the accounts are either too old or dead.
Burnett said that he sourced the information from websites that can be easily accessed through search engines using a plaintext format. He added that the password and username combination are readily available for anyone who has ill intent of defrauding the owners or to gain unauthorized access to computer systems.
When asked why he did it. Burnett said that it aims to help in security research and will provide helpful insight in terms of increasing password security, according to Tech Crunch.
A lot of question arises after Burnett released the sensitive information on the public domain. The one that keeps on coming back is whether or not he broke the law. However, according to some privacy advocates what Burnett did was perfectly legal. Additionally, under the proposed amendment of the Computer Fraud and Abuse Act Burnett could face a maximum of 10 years in jail.
The CFAA is a law first passed in 1986 in order to prosecute hackers and impose the anti-hacking law. Several computer groups along with politicians have since argued that the law is too broad and hinders the propagation of security research, according to 9News.
Lawyer Nate Cardozo shared his insight about Burnett's action saying, "The way the current law is written, sharing a password list without the intent to defraud is not a crime."