LeakedSource, a website dedicated to informing the public about data breaches, has gone offline and it has been 24 hours now since it is down. Speculations are rife that the website has become the target of a raid from law enforcement for being a controversial platform of breach notification. The assumption comes from the message posted on Pastebin by a user. The message read:
“LeakedSource is down forever and won’t be coming back. Owner raided early this morning. Wasn’t arrested, but all SSD’s got taken, and LeakedSource servers got subpoenaed and placed under federal investigation. If somehow he recovers from this and launches LS again, then I’ll be wrong. But I am not wrong.”
If this is true, then most likely the US law enforcement authorities are responsible for the raid.
It is indeed true that LeakedSource is a rather controversial website for some since it garnered criticism and to some extent resentment from many companies that wanted to keep the information about data breaches confidential. Until now the site has highlighted a number of data breaches including Last.fm, FriendFinder Networks, LinkedIn, VerticalScope, Rambler and DailyMotion.
It is worth noting that 2016 has been quite a difficult year for organizations and users alike since the year showcased a record-breaking number of data breaches and around 4.2 billion records got exposed. Since then, the website has been sticking out like a sore thumb for those affected by the breaches the most.
Since 10th January, the Twitter account of LeakedSource has remained inactive and on various occasions, LeakedSource users have complained about the website being unresponsive or offline. The same seems to be the case in this scenario as well but this time users are speculating that the site may never come back online. Users are naturally irritated as some of the site’s users claimed on hacker forums that they recently bought LeakedSource subscription.
The threat from law enforcement raiding and taking down such websites always lingers on to those running them. So, does this mean, the law enforcement will raid every breach notification website? Probably not, says Troy Hunt, owner of another breach notification website Have I Been Pwned (HIBP), in his latest blog post.
Hunt noted: “LeakedSource provided sensitive personal information obtained from data breaches to anyone willing to pay for it. It was a service that occasionally popped up in news stories and recently appeared on Wired. I’ve been asked for my views on the service in the past and how I felt about them providing passwords to people who didn’t own them. If I’m honest, it’s not something I gave much thought too… until someone sent me my personal data.”
Australian security expert Troy Hunt claims that the difference between his service and LeakedSource is that his site is never used for nefarious purposes while the same cannot be said about LeakedSource. The reason is the presence of sensitive information on the website in large proportions. Allegedly, the site’s databases stored 3.1bn accounts, and all those users who bought subscription could access to these accounts. They could easily access important, private data such as usernames, cleartext and hashed passwords, IP addresses and email IDs. This made the site vulnerable to exploitations from malicious threat actors.
He further stated that HIBP has been running successfully for the past three years and he has also been making changes to address the changing sentiments of the public and the variations in the ‘data breach landscape.’
“For example, when news of the Ashley Madison data breach hit, I elected to build out functionality to keep data from “sensitive” breaches beyond the reach of anyone who doesn’t own the email address impacted by the incident (or the domain it sits on). At the time, that took a lot of thought, but in retrospect the conclusion was simple: the data could cause serious harm to people so let’s make sure that can’t happen.”
Hunt explains that LeakedSource wasn’t appropriately protected either. The site was operating via CloudFlare and services like CrimeFlare made it an easy task for the law enforcement to obtain the real IP address of the site. Hunt notes that no matter who is responsible for the closure of LeakedSource and whether it has been closed or not, the incident presents an opportunity to reconsider the ethics of handling private data.