Data hoarding site represents the dark side of data breach monitoring

LeakedSource, a giant repository online that stores stolen databases, can potentially make hacking easier

A site that's been warning the public about data breaches might actually be doing more harm than good.

Enter LeakedSource, a giant repository online that can potentially make hacking easier. Your email address and the associated Internet accounts -- including the passwords -- is probably in it.

In fact, the giant repository is made up of stolen databases taken from LinkedIn, Myspace, Dropbox, and thousands of other sites. It bills itself as a data breach monitoring site and for months now, it's been collecting details on hacks, both old and new, and alerting the media about them.

But the repository also features something that might be illegal: a search function that can look up all the stolen information. It’s also why LeakedSource is probably becoming a tool for novice hackers.

A hacking resource

For US$2 a day, a subscriber at LeakedSource can enter an email address or username and find details on what internet accounts it was used to registered with. Not only that, LeakedSource will crack the associated passwords when it can.

The search function has made it popular on HackForums.net, what one Reddit user described as a breeding ground for script kiddies. A number of threads at the forum mention how LeakedSource can be used for hacking.

One user, for instance, is offering an ebook for $8 on that very topic. Others are offering advice on how to use LeakedSource as a way to hack a social media account or to dox someone and dump the person’s files online.

“Ever wanted to be an elite hacker and show off?” wrote one user. “Here’s a small tutorial on how to break into a Youtuber’s account using a database looking up tool called: LeakedSource.”

On Monday, LeakedSource declined to answer questions about the legality of the site. The operators behind the service remain anonymous, but they say they don't condone any hacking.

However, as far back as October 2015, LeakedSource appears to have begun promoting itself on HackForums.net. When asked about this over email, LeakedSource didn't directly respond.

Instead, the site's operators claim that all the information they store and index is already available on the internet.

"Before people start pointing fingers at us, anyone is free to download well over a billion records from the clear web," LeakedSource said in an email that included links to stolen databases taken from Myspace and LinkedIn.

Legal concerns

The site has also said it's not responsible for any data breaches. It merely collects the stolen databases, often by searching through the Dark Web, or by receiving them from anonymous hackers, LeakedSource has said.

"Many of (the hackers) like what we do, some want to draw publicity to themselves and others don't want their 'enemies' to be able to profit off selling data," it said in an earlier email. 

But even as it may not have been involved in any hacking, legal experts say the site's activities can still be seen as a crime.

Posting stolen passwords on the site can be considered a form of wiretapping, said Susan Freiwald, a law professor at the University of San Francisco. The Electronic Communications Privacy Act prohibits the dissemination of any device that can be used for "surreptitious interception."

She questioned why a site -- that claims to protect users' data -- offers a search function that can crack stolen passwords or look up someone else's information.

"If the whole goal of the site is to warn me, it should never give out my password," she said. "I think this is very suspicious. It doesn't make sense."

The site is essentially making money off of people's stolen data -- and potentially giving hackers a useful way to target victims with what services and user screen names they use, added Christopher Dore, a lawyer with the Edelson law firm.

"They are taking this too far, and monetizing this in a way that's dangerous for consumers," he said. Government regulators, including the Federal Trade Commission, might take notice and want to intervene, he added.

Ongoing risks

Internet users don't necessarily need to panic. Many of the databases stored on LeakedSource are years old and might pertain to internet accounts they no longer in use.

For example, the LinkedIn database on file comes from 2012, and the company has already reset the stolen passwords affected. In other cases, the databases on file only contain hashed passwords that are almost impossible to crack. 

But even so, that doesn't mean the stolen data is useless. The biggest danger is that less tech-savvy users are re-using the same passwords across multiple internet accounts and forgetting to change them. 

Internet users concerned with their privacy appear to be alarmed. After LeakedSource became widely publicized in the media, it was overwhelmed with user requests, wanting their information to be taken down from the site. 

"Our Contact form volume has increased by a multiple of 100 from removal requests and we are unable to read other potentially important messages," LeakedSource said at the time. 

Users can still remove themselves from the LeakedSource site by visiting the site's removal page.

When warning the public about data breaches, there's a danger of posting too much information, said Troy Hunt, an Australian software architect who runs a breach monitoring service called Haveibeenpwned.com. His site routinely collects new databases as well.

Unlike LeakedSource, however, his site doesn't offer any paid search to look up passwords, and for good reason. "As much as there’s potential to improve the state of online security, there’s also the risk of making it worse," he said in an email.

His own site continues to evolve, to prevent Haveibeenpwned from revealing sensitive details on users. 

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?