Euro Security Watch with Mathew J. Schwartz

Breach Notification , Data Breach , Privacy

Has LeakedSource Gone Dry? Subscription-Based Data Breach Notification Service Reportedly Shuttered by the Feds
Has LeakedSource Gone Dry?
Photo: Steve Dorman (Flickr/CC)

The subscription-based data breach notification service LeakedSource appears to have gone dry.

See Also: Three and a Half Crimeware Trends to Watch in 2017

The service was allegedly raided by an unnamed law enforcement agency Jan. 26, and the LeakedSource website remains inaccessible. It's not clear where the site was based, or which law enforcement agency allegedly seized its servers. The FBI didn't immediately respond to my query about whether it was involved.

"For whoever is behind LeakedSource, I hope this incident presents an opportunity to rethink the ethics of how personal data should be handled." 

But the writing has been on the wall for the service since late 2016, when it appeared that the site's administrators "were erring very much on the black side of grey," according to Australian developer and data breach expert Troy Hunt.

What wasn't clear, he says in a blog post, was whether LeakedSource was just gathering leaked data that was already in the wild, or whether by paying for leaked data, it might have driven hackers to perpetrate new breaches. "Speculation was rife that there was incentivization occurring not just to provide data that had already been obtained, but to actively seek out new targets that could subsequently be added to the feed of data then monetized by selling the personal information of the victims to whomever was willing to pay for it," he says.

To date, that's just speculation. Even if it was proven to be true, furthermore, "it's not yet clear whether this contributed to the take down or if it was solely due to the services directly provided on the site," Hunt says.

Report: 'Owner Raided'

The news of LeakedSource's alleged takedown broke Jan. 26 via this Pastebin post.

News of the apparent law enforcement raid and seizure of LeakedSource's solid-state hard drives first broke Jan. 26 via text-sharing site Pastebin: "Leakedsource is down forever and won't be coming back," someone using the "LTD" handle claimed. "Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leakedsource servers got subpoena'd and placed under federal investigation. If somehow he recovers from this and launches LS again, then I'll be wrong. But I am not wrong."

If true, that may represent the end for LeakedSource, which launched in late 2015. The site quickly triggered controversy for selling access to breached data, unlike some other breach-notification services. For example, the free Have I Been Pwned? service, run by Hunt, notifies registrants directly when their email address shows up in a data dump, but doesn't store any breached passwords (see Troy Hunt: The Delicate Balance in Data Breach Reporting).

Massive Historical Breaches Unearthed

LeakedSource's business model aside, knowledge about multiple mega-breaches - some historical - first came to light via the service, sometimes through its work with Tessa88@exploit.im, a mysterious figure who supplied it with multiple batches of breached data for free (see LeakedSource: 'Assume Every Website Has Been Hacked').

LeakedSource, for example, was the first such service to obtain some massive troves of breached user data from international social networking site Badoo.com, FriendFinder, LinkedIn, MySpace and Russia's web portal Rambler.

Viewed charitably, the site's efforts helped speak truth to power (see Report: US Data Breaches Reach Record Levels).

But the service's efforts didn't go unnoticed by breached organizations. LinkedIn, for example, slapped the site with a cease-and-desist order in May 2016, telling Threatpost: "We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply."

LeakedSource responded by via Pastebin, accusing LinkedIn of "blowing steam out their ass," while conceding that "for the next couple of days we are going to censor hashes from that particular data set while we consult with our legal team from OUR jurisdiction."

Meanwhile, LinkedIn has never responded to my multiple requests for comment about how the organization failed to spot that 165 million LinkedIn credentials had gone missing in 2012, which came to light via LeakedSource (see LinkedIn Sale: Mega Bucks, No Matter Mega Breach).

3.1 Billion Leaked Credentials and Counting

LeakedSource continued to add credentials from newly discovered breaches. On Jan. 8, for example, the site told me that 36 new, alleged leaks had been added to the service, and detailed when the data had likely first been obtained by attackers:

  • Youku.com: 100 million users user credentials, 2016 breach;
  • R2Games.com: 41 million user credentials, December 2015 breach;
  • UUU9.com: 18 million user credentials, September 2016 breach;
  • Tunngle.net - 7 million user credentials, August 2015 breach;
  • HelloKitty.com - 3 million users credentials, December 2015.

But the site's apparent takedown is a reminder that there's a difference between warning people when their personal details may have been compromised, and offering to sell those personal details to others. Hunt, for example, said that a friend who paid for the service shared information with him, showing that the service contained leaked data relating to Hunt, including his birth date, IP address, and multiple password hashes - some of them cracked.

LeakedSource claimed to have 3.1 billion leaked credentials in it database as of Jan. 12, 2017 (via Internet Archive Wayback Machine).

LeakedSource never divulged where it was based, and it protected its sites using the Cloudflare distributed denial-of-service attack defense service, which can obscure domain registrant information. But according to some open-source research, the group's servers may have been hosted in the Netherlands (see Hacker Havens: The Rise of Bulletproof Hosting Environments).

Ethical Questions

Still, it's not even clear that all of its members are, legally speaking, adults (see Young Hackers: Jail Time Appropriate?). In December 2016, a member of the group told Wired that some of the group's members "have other sources of income and others are still in school."

For now, it's unclear if the service will resume. "For whoever is behind LeakedSource, I hope this incident presents an opportunity to rethink the ethics of how personal data should be handled," Hunt says.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network