[legalcorrection]

This is wrong. You are logging their password attempts and then sharing them with the world. It doesn’t matter that you think you know they are scammers. What gives you the right to dispense vigilante justice by disclosing people’s passwords? Shame on you.

[ImPostingOnHN]

you are mistaking scammers with spammers, and also mistaking what the poster thinks with reality

the reality is they are spammers, because spamming the poster is the only way they can end up with a reply email containing a link with a valid key to interact with this API

if they didn't send unsolicited commercial emails, there's no way they can interact with this API and get their passwords logged

[legalcorrection]

This is a common misconception. Cold emailing is legal under the CAN-SPAM Act.

[ImPostingOnHN]

this is a common misconception, unsolicited commercials emails are still spam, whether or not they are legal

spam is orthogonal to legality

[hyakosm]

He's not sharing the email adresses, only anonymous password attempts.

[legalcorrection]

People reuse passwords and having your password appear in a list of known passwords, even without being associated to your email, is reason enough to change it.

[onychomys]

It's not like "wasibutt123" was very secure to start with.

[jakzurr]

Thanks for your post. I enjoyed it so much I almost up-voted it.