After deduplicating and cleaning the data, Burnett released a list of the observed across these breaches. The filename became iconic: xato-net-10-million-passwords.txt , often hosted on GitHub, security research portals, and pentesting frameworks like SecLists.
Use anomaly detection (e.g., many login attempts from different IPs on one account, or many accounts from one IP) to block automated Xato attacks. xato-net-10-million-passwords.txt
The 10 million passwords become seeds for generating billions of variants. After deduplicating and cleaning the data, Burnett released
The file xato-net-10-million-passwords.txt is a publicly available wordlist containing 10 million unique plaintext passwords. Originally compiled by researcher Mark Burnett from various data breaches (e.g., LinkedIn, RockYou, MySpace, and other leaks prior to 2014), it has become a standard tool for penetration testing, password policy auditing, and academic research into user behavior. This paper examines the dataset’s composition, common findings, and its implications for modern cybersecurity. The 10 million passwords become seeds for generating