Hector Martin

We had *already* emailed everyone affected by the breach, and even made a public announcement (https://devkitpro.org/viewtopic.php?f=13&t=8846 …). There was no need to spread this any further.

Additional reminders are always a good idea. There is no harm in "spreading this further" because it has already been widely distributed; seeing the paste is more likely to provide benefit by getting people to change their passwords *now*.

Spreading the password dump is going to result in increasing the chances of people's email addresses being noticed and passwords being bruteforced. Please delete the original tweet in this thread.

Anyone who wants to crack the passwords and own people already has the dump. Pretending they don't is security theatre. There is more benefit to be had by causing alarm and urging people to change their passwords *now*.

And anyone who didn't have the dump before now does, due to this weak argument. Please retweet this without the pastebin dump. Your audience aren't just your followers on Twitter; there are abusive lurkers who do not hack for ethical reasons which follow you.

Anyone who didn't have the dump can go to https://haveibeenpwned.com/ , type in the email address of *any* devkitpro forum user (e.g. mine, which is public), and follow the link to the pastebin. Sorry, I don't do security theatre. It's out there. Any and all attackers will have it.

I get what you're saying but nobody is pretending the dumps aren't out there. Nobody is hiding what happened. This seems pretty irresponsible to me given your involvement in the homebrew scene and the likelihood of your followers having grudges against users in that dump.

If I mentioned it's in a Pastebin *at all* then any would-be wrongdoers will find it anyway. And if I don't, that would be irresponsible towards those affected. Given the decision to mention it, putting the link in everyone's face is only going to help drive the point home.