Hector Martin

Additional reminders are always a good idea. There is no harm in "spreading this further" because it has already been widely distributed; seeing the paste is more likely to provide benefit by getting people to change their passwords *now*.

Spreading the password dump is going to result in increasing the chances of people's email addresses being noticed and passwords being bruteforced. Please delete the original tweet in this thread.

Anyone who wants to crack the passwords and own people already has the dump. Pretending they don't is security theatre. There is more benefit to be had by causing alarm and urging people to change their passwords *now*.

And anyone who didn't have the dump before now does, due to this weak argument. Please retweet this without the pastebin dump. Your audience aren't just your followers on Twitter; there are abusive lurkers who do not hack for ethical reasons which follow you.

Anyone who didn't have the dump can go to https://haveibeenpwned.com/ , type in the email address of *any* devkitpro forum user (e.g. mine, which is public), and follow the link to the pastebin. Sorry, I don't do security theatre. It's out there. Any and all attackers will have it.

I get what you're saying but nobody is pretending the dumps aren't out there. Nobody is hiding what happened. This seems pretty irresponsible to me given your involvement in the homebrew scene and the likelihood of your followers having grudges against users in that dump.

If I mentioned it's in a Pastebin *at all* then any would-be wrongdoers will find it anyway. And if I don't, that would be irresponsible towards those affected. Given the decision to mention it, putting the link in everyone's face is only going to help drive the point home.

That's just as idiotic as the argument "if we outlaw guns, people will get guns anyway". It's not a secret that outliers exist. But contributing to the problem is not any better. Spreading peoples' personal passwords isn't smart. If it's on 4chan, let it just stay on 4chan.