I hazard it depends on the jurisdiction - one thing I remember from my vague parsing of Australia's cyber crime laws (IANAL etc) is that possession of these lists/hacking tools was only criminal where there was an intent to use them for another criminal act (Crimes Act 478.3, probably superseded [1])

[1]: https://www.legislation.gov.au/Details/C2004A00937