LeakedSource Goes Offline Following Alleged Law Enforcement Raid

LeakedSource, a website that made information stolen in data breaches available for anyone to purchase, has gone offline. Someone posting to the OG Flip message boards alleged that the site's owner was raided by law enforcement and that all of its servers are subject to federal investigation. The site's operators have neither confirmed nor denied this explanation for it going offline, but its peddling in private data make the claims seem plausible enough.

Here's the forum post, as copied to Pastebin:

Yeah you heard it here first. Sorry for all you kids who don't have all your own Databases.Leakedsource is down forever and won't be coming back. Owner raided early this morning. Wasn't arrested, but all SSD's got taken, and Leakedsource servers got subpoena'd and placed under federal investigation. If somehow he recovers from this and launches LS again, then I'll be wrong. But I am not wrong.Also, this is not a troll thread.EDIT: Don't forget that LTD was the first person to make this news public.

LeakedSource revealed information about many hacks, ranging from the Friend Finder Networks data breach that affected 400 million people to attacks on smaller websites, to the public. The information contained with its databases would depend on the breach: Some included only usernames and secure passwords, whereas others revealed information such as someone's birthday, IP address, email addresses, and cracked passwords, among other things.

High-Tech Bridge CEO Ilia Kolochenko said in a statement that it's "not a big surprise" that LeakedSource has shut down. "Despite the good faith declared by the resource, it was aggregating personal data of data breach victims, initially obtained in a criminal or unlawful way," Kolochenko said. "Nevertheless, the resource was also serving a public interest by providing people with information if and how their data had been compromised."

Handling this stolen information can be tricky. Verifying it often requires contacting people affected by a breach to see if they'll confirm that their data was stolen, though some people also sign up for as many sites as possible and check to see if their own information has been leaked. Once it's been verified, different groups handle the data in differing ways, depending on whether their goal is to protect the public or to profit from the data breaches.

Journalists often keep private information to themselves, for example, while offering a sense of a hack's scope. Other groups allow people to see if they were affected by a breach, and still others sell the compromised data to anyone willing to pay for it. LeakedSource combined two of those approaches: It would publish blog posts describing how many people were affected by a breach and what information it was stolen, but it also sold access to leaked data.

Troy Hunt, operator of the "Have I been pwned?" website that allows people to see if their information was included in a breach, said in a blog post that this dual approach to handling private data is probably why LeakedSource was raided while HIBP has been allowed to operate since December 2013:

HIBP never makes any sensitive personally identifiable data available to anyone, not even the legitimate owners of the data. In fact, some time back I wrote about how I will not provide data breaches to other parties either in full (I've never passed a breach to anyone else), or in part (I always point individuals to that post when they ask for their data). The only exceptions I can think of is when I'm verifying a breach and I've written publicly before about how I'll reach out to existing HIBP subscribers and seek their support in verification by providing them snippets of data. Certainly, under no circumstances would I ever provide someone who doesn't own the data any access to it whatsoever. If you can demonstrate that you own the domain then you can see which accounts have appeared in which data breaches (many companies use this as a means of monitoring the risk their organisations are exposed to), but that's a far cry from handing over sensitive PII to strangers. [...] I've also never paid for data nor traded any of the breaches I've obtained. Creating a commercial market in no way improves the state of security, it merely provides incentive for malicious parties to obtain even more data.

Others will not be as scrupulous. LeakedSource's shutdown created a vacuum that will probably be filled. As long as there's stolen information to be sold, someone will be there to sell it. The question is whether these people will take the same two-sided approach as LeakedSource or if they'll merely act as a marketplace for private data.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • bit_user
    I'm surprised this was being operated:
    1. out of his home
    2. inside the US

    Like WTF, really? I wish all cyber criminals were this dumb.

    I'm glad the HIPB guy was interviewed. I couldn't remember the name of his site (ironic, I know, but only went there once) and was hoping it wasn't him that got shut down.
  • bit_user
    Okay, let's try something.

    If there's a site selling your hacked data, but it's outside the jurisdiction of your government's authorities. Furthermore, there's not even an extradition treaty with the legal territory from which it's being run. Would you support government hackers taking such sites offline?

    Vote up if yes, down if no.
  • krb1945
    Any one that hacks, sells or otherwise, tampers with someone Else's computer information should do some serious jail time.

    Anyone that has ever had their identity stolen will understand, and know this sentiment. Some may even state these criminals should be executed.
  • bit_user
    19229068 said:
    Anyone that has ever had their identity stolen will understand, and know this sentiment. Some may even state these criminals should be executed.
    My sympathies.

    Not to defend the hackers, but it's really the ones using the stolen identities who do the damage. I'd focus the worst punishments on them, and the middlemen, like the guy who got busted here. I can't agree on death penalty.