Johnny (& others) have been doing this type of thing for years. The classic collection is here: http://johnny.ihackstuff.com/ghdb/

Similar, and interesting in the context of LulzSec releases, is @PastebinLeaks on Twitter. It scans Pastebin for a variety of things (mail address lists, PGP keys, SQL dumps, and router configuration files have all popped up so far). They're not 100% - especially the mail/password dump detection - but it's definitely catching stuff.

http://twitter.com/#!/PastebinLeaks

These kind of tools cause more harm than good.

That's balderdash. These kinds of tools raise awareness of the issue, hopefully making more people think twice about posting private data to a public place. If they continue to be unaware of the danger of doing so, then it is simply exploited silently and everyone wonders how it happened.

Your statement assumes that security through obscurity is a good thing.

At this point, you're both right - exposing these things to a massive audience just increases the number of potential attackers.

Someone ought to write a tool that follows this account, and e-mails people warning them that their e-mail has been compromised.

The hard part would be explaining what happened, how to verify it, and how to fix it to random strangers without convincing them that you're the one who just tried to steal their life savings.

www.hacknotifier.com does this (disclaimer: I started it) - but it requires the user to subscribe to our service. Unfortunately, cold emailing them (which we considered), would be considered spam.

i just created a google alert for my email + "filetype:sql". http://www.google.com/alerts - might as well make this work for me...

This is a great idea. Unfortunately pastebin and sites like it are generally not indexed by google.

Crawling pastebin is trivial - there was an HN story on it awhile ago, and I wrote my own from scratch as an exercise. Perhaps we should suggest this to the guy behind https://shouldichangemypassword.com/

Well, it is the best site to find almost anything, so why not passwords? :)

Honestly though, google shouldn't even have to worry about these things, their mission is to organize data on the web. If it is there, it should be searchable.

Google hacking is truly awesome and powerful. In fact there is some pro material already on the web such as http://johnny.ihackstuff.com/ghdb/

There is also a pretty good book from a spanish Microsoft MVP (yeah it sounds bad but still its an important award, :\)

http://www.informatica64.com/libros.aspx?id=hackingBuscadore...

It's a shame they decided not to translate it, anyone is up to it here? It contains everything that you'd ever wonder and much more.

Here's the teaser from the link. I don't own the book and thus have nothing else to translate.

Title: Search Engine Hacking with Google, Bing & Shodan Author: Enrique Rando

Pages: 272

Price: 20 Euros + Shipping (includes IVA)

Though it's been 2500 years since Sun Tzu wrote "The Art of War", many of his lessons remain relevant. His teaching contains several passages that seem especially suitable for people who work in Information Security:

* "Those who disable foreign armies without combat are the best teachers of the Art of War."

* "Before you fight, first learn the skills of the enemy's workers, and then fight them according to their weaknesses."

* "When you can perceive subtlety, winning is easy."

Without a doubt, this information is key in preparing for attempted security breaches. Without it, determining what to attack and how to do it is impossible. Search engines have become important tools for collecting data and other intelligence. However, despite Google hacking's many years of use, its techniques have perhaps not always been well-treated or publically shared.

How does this actually happen though? Is this simply a case of people leaving the standard "apache index page" turned on or do this many people actually publish links to their SQL files someone crawlable?

Usually a combination of the Apache index pages, dumb server setups, and being people being lazy, careless and/or forgetful when they dump a database to disk.

Also, sometimes an index.html file is accidentally removed, causing (brain-dead installs) to suddenly reveal the contents of a directory, eg. http://shahinfosoft.com/

Welcome to 2005. Hopefully this isn't new to the rest of you.

As someone else mentioned, Johnny posted articles on this years ago. But, he merely popularized it, Google hacking was around long before him.

See also: filetype:mdb, filetype:xls, "ssn" and so on.

For music, try: metallica filetype:mp3 For books, try: oreilly filetype:epub (or whatever)

What's really the interesting story is that it isn't 2005 and yet this stuff still works.

And even if its hashed, there's public databases resolving those: http://hashash.in/

This is only good for unsalted hashes, which hopefully are on the decline.

Also: https://shouldichangemypassword.com/

I tried "hello" and "god" and both are safe, apparently.

This keeps reminding me of that Daily WTF article where a sysadmin sends a warning about phishing spam with an example of one and gets hundreds of UN/PW pairs back... I think email should be taught is school.

use your email address.

I was joking. Not very funny, I admit...

it nice how a screenshot from a groupon post made it into a new thread on HN

see the on at http://news.ycombinator.com/item?id=2704359

It's a shame these companies are so cheap that they don't hire real developers.

You think Fortune 500 companies don't hire complete idiots too? They just have 5 extra people for every 1 developer to double check whether or not the developer did something stupid, test the site for obvious vulns, etc.

It's not necessarily a matter of them being cheap, good developers are hard to find, and the only people who can tell the difference are/were good developers themselves.

This is doubly true with security. There is no cosmetic or usability difference between a secure application and a nightmare that leads to thousands of leaked passwords. So companies that don't already have a good group of developers are screwed when hiring, and companies that don't consider their existing team's decision as the most important factor when hiring are asking for trouble.

This could happen to any developer. All it takes is a dumb installation package to screw up your permissions, or something similarly trivial.

Also, it's not a matter of development, but security and system administration. They are often performed not only by different people, but sometimes even by different sub-organizations in different physical locations. It's not a good excuse, but we shouldn't be so quick to judge developers author knowing what exactly happened.

Private browsing isn't going to help with sites that publish their databases in plaintext, as in the link.

Your browsing history will show your passwords that you searched for to people who use your computer. Also, next time you google search when logged on your password might also show as a suggestion.

Otherwise a password-not-yet-leaked will no longer be. If you didn't turn on private browsing as I suggested and are using Safari, type the password you searched for in your URL bar now and you will see why I said what I said.

Why would you search for your passwords at all, then? Wouldn't it make more sense to search for your email and username?

And for that matter, why do you have so few that you can easily google for them instead of generating random ones per site?

(Fun fact, googling for your e-mail address reveals a hash of your password on MtGox.)

Maybe someone was like me and they didn't think to not search for their password which ended up on their browser history. The title had password leaks in it and that's the first thing I thought of when I got there: "Hey my MtGox password got leaked lets google it."

For that matter, I have a unique password (with the necessary special characters) for each account that associates with my identity (Not naming any examples here), but only several unique passwords for websites I don't intend to use much e.g. to read newspapers, and apparently, MtGox.

(Yes, I was searching for my MtGox. password because it was the same password I used for random throwaway sites. No I never used it, I don't even remember having confirmed my account there. My asset in bitcoins amount to < $2 USD.)

I still don't understand why all the downvotes. It would've helped me if someone reminded me not to actually google my password with my browser watching. Apparently not anyone else.

I think he is talking about google logging your search for password databases.

EDIT: I, however, do not agree that it is necessary, even more being a link posted on HN

Private browsing won't stop google from logging anything. It will make it so your browser doesn't remember what you did, but it doesn't stop the authorities from knocking.

...why do you feel bad about HN just for exposing terrible security practice? Hopefully startups get shocked enough by it to tighten up their privacy policies.