UMSI senior's site experiences "overwhelming" success

Sitting in the basement of the University of Michigan undergraduate library the morning of February 12, School of Information senior Luke Rehmann noticed something weird happening on his website. At around 11 a.m., the site traffic started jumping by hundreds of hits at a time. In less than an hour, he was seeing 8,000 hits a minute. When his overwhelmed server crashed, it was being pounded by 16,000 hits simultaneously.

What had happened? Basically, the same thing that can occur when a 24-seat diner gets a five-star review.

A few days earlier, on February 9, security researcher Mark Burnett had posted a dataset of 10 million stolen usernames and passwords on his blog. His intention was to aid other researchers exploring user behavior and password security. While Burnett took a number of steps to make the information useless for criminal purposes, lots of people wanted to know whether their user names and passwords were on the hotlist.

“A few people asked me how they could check the data,” says Luke. Although the list was available to anyone to download, he says, “it could take forever to search 10 million names. I thought it would take me only a few minutes to build a site where people could find out if they were on that list of stolen IDs.”

An experienced coder and programmer, Luke has been building database websites since high school. His first site connected buyers with sellers of automotive parts; a more recent creation monitors all wireless device applications registered with the FCC.

Within 36 hours of the Burnett data being published, Luke had added a page to his website that allowed people to search for their own username among the released data. Then, he put a link to his site on Reddit.com, the user-generated news site, and invited users to “check your username/password against 10 million account dump by Mark Burnett.”

He started getting traffic, but nothing the server couldn’t handle.

Then, on February 12, at 11 a.m. Yahoo! posted an article on its homepage about the Burnett release and offered a way to “quickly and easily find out if you were affected.” They included a link to Luke’s site, promising “you’ll be able to search for your usernames and passwords in the leaked file.”

Thousands of people clicked. Luke’s server crashed.

“Yahoo! didn’t warn me they were going to do this,” says Luke. “I might have been able to handle the traffic if I’d known in advance.” He theorizes that Yahoo! probably found the link on the Reddit site.

“I had to put up a note on the page telling people to try again later,” he says.

His site is now back in business, with traffic his servers can handle. He’s still getting between 100-600 queries at a time. “I’m still seeing some peaks, as some smaller news outlets in places like Europe and South America post the link.”

Did Luke find his own username among those released on February 9? “An old, expired one from junior high school,” he admits.

Try Luke’s username/password query at https://rehmann.co/projects/10mil/

February 18, 2015