A website that sold access to a database of more than 3 billion hacked accounts has suddenly vanished. LeakedSource had built a business on collecting and packaging information exposed through various data breaches. It gathered compromised account details and made it searchable so users could see which of their email addresses, phone numbers and passwords were vulnerable. The site was controversial, however, because anyone could pay for advanced search capabilities. LeakedSource said its mission was to educate people who might be affected, and pressure companies to disclose breaches. Critics argued, however, that it gave hackers the means to access innocent people’s accounts.
The circumstances surrounding the site’s disappearance are murky. A user going by “LTD” wrote in an online forum on Thursday: “LeakedSource is down forever and won’t be coming back. Owner raided early this morning. Wasn’t arrested, but all SSDs got taken, and LeakedSource servers got subpoena’d and placed under federal investigation. If somehow he recovers from this and launches LeakedSource again, then I’ll be wrong. But I am not wrong.” Such reports are currently unconfirmed, however.
LeakedSource has always maintained that the information in its database was already publicly accessible. “All we do is combine it in one easy to use location,” a spokesperson told Wired recently. Some suspect the team was encouraging the community to come forward with new data dumps, however. Troy Hunt, a security researcher that runs a similar service called Have I Been Pwned, writes on his blog: “There was a constant flow of data that wasn’t appearing anywhere else in the usual trading circles before first coming to air via their service. Speculation was rife that there was incentivisation occurring not just to provide data that had already been obtained, but to actively seek out new targets.”
Another point of controversy: the team decrypted passwords it had obtained through data dumps. Making your actual password searchable, rather than a scrambled set of characters, was obviously attractive to users. If one of your accounts was compromised, it meant you could see exactly which password was affected and change any accounts using the same character string. The practice meant the database was more valuable to hackers too, however. LeakedSource was arguably doing the heavy lifting, making it a cinch for hackers to set up a script and gain access to some of their victim’s other accounts.
LeakedSource was also valuable as a journalistic tool. In its relatively short life span (the site first gained traction in late 2015), the site provided access and context to data breaches at AdultFriendFinder, Myspace, Twitter and the Russian internet giant Rambler.ru.
The site’s closure, should it be permanent, will likely provoke a discussion around the ethics of hack disclosures. LeakedSource isn’t the only site where you can check to see if your personal information has been compromised. Have I Been Pwned, for instance, lets you easily check if you email address or username was ever exposed in a hack. Its creator, Hunt, takes a vastly different approach to LeakedSource though. The site “never makes any sensitive personally identifiable data available to anyone, not even the legitimate owners of the data.” Less valuable perhaps, but it stops sensitive data from falling into the wrong hands.