Tech by VICE

A ‘Tech Dad’ Emailed 97,931 People Their Hacked Passwords

Creepy or helpful?

by Jordan Pearson
Jun 25 2015, 1:00pm

Image: Flickr/Michael Coté

New hacker horror stories are being spun all the time, whether it's Uber accounts being sold on the dark web, or an Anonymous affiliate posting the emails and passwords of Canadian government officials. Have you ever wondered if your email and password are floating around out there in cyberspace as part of a hacker's massive data dump?

Thankfully, a blogger known as "A Tech Dad"—his pen name is "Julian"—will tell you, whether you want to know or not.

After hackers succeed in breaching a victim's security, it's common for them to post information like passwords, emails, documents, and messages to PasteBin—a site that lets users anonymously post messages in plain text. If your email and password were ever compromised, there's a good chance that they'll be in a PasteBin entry.

But who spends their days trawling PasteBin, right? With this in mind, Julian decided to take matters into his own hands. He created a tool called Canary that scrapes PasteBin for password and email combos and then emails the people they belong to, letting them know they got hacked. Canary is affiliated with another site called Urhack, which posts screenshots of hacked sites.

There are a few services out there that will scrape PasteBin for your information and alert you if any turns up, but they're opt-in; you'd have to be fairly security-conscious in the first place to even consider using a tool like that.

During Canary's inaugural run on May 19th, he alerted 97,931 people that their security had been compromised with a really polite, really creepy email.


Just imagine getting that in your inbox for a minute. Personally, I wouldn't even open it, fearing—ironically—that I would get hacked with a phishing attempt. But, according to Julian, a lot of people did check out the email. While one person told him to "F**ck off," nine more people said thank you.

"The thank you notes I got were sincere," Julian wrote. "One of them validated the entire effort when the person indicated that they use the same password for everything and wanted to know which account had been compromised."

That's really nice and all, but one can pretty easily identify with the "F**ck you" guy. After all, just because someone's email is out there on the web as part of a potentially massive and impenetrable data dump, that doesn't necessarily mean that you should go ahead and send them a friendly message to their inbox.

But, then again, an even more important thing to keep in mind is that out of the nearly 100,000 people that Julian notified about their accounts being compromised on the web, just 10 opened the email and responded. Let's hope the rest of the people who received Julian's really-nice-but-potentially-scary email changed their passwords and moved on, for their sakes.

Julian's script has been running since May 19th, he wrote, and has so far collected around 300,000 password and email combinations on PasteBin. "I might just do it again," he wrote.