Latest in Culture

Image credit: Thomas Trutschel via Getty Images

LeakedSource and its database of hacked accounts is gone

The controversial site sold access to billions of compromised account details.
449 Shares
Share
Tweet
Share
Save

Sponsored Links

Thomas Trutschel via Getty Images

A website that sold access to a database of more than 3 billion hacked accounts has suddenly vanished. LeakedSource had built a business on collecting and packaging information exposed through various data breaches. It gathered compromised account details and made it searchable so users could see which of their email addresses, phone numbers and passwords were vulnerable. The site was controversial, however, because anyone could pay for advanced search capabilities. LeakedSource said its mission was to educate people who might be affected, and pressure companies to disclose breaches. Critics argued, however, that it gave hackers the means to access innocent people's accounts.

The circumstances surrounding the site's disappearance are murky. A user going by "LTD" wrote in an online forum on Thursday: "LeakedSource is down forever and won't be coming back. Owner raided early this morning. Wasn't arrested, but all SSDs got taken, and LeakedSource servers got subpoena'd and placed under federal investigation. If somehow he recovers from this and launches LeakedSource again, then I'll be wrong. But I am not wrong." Such reports are currently unconfirmed, however.

LeakedSource has always maintained that the information in its database was already publicly accessible. "All we do is combine it in one easy to use location," a spokesperson told Wired recently. Some suspect the team was encouraging the community to come forward with new data dumps, however. Troy Hunt, a security researcher that runs a similar service called Have I Been Pwned, writes on his blog: "There was a constant flow of data that wasn't appearing anywhere else in the usual trading circles before first coming to air via their service. Speculation was rife that there was incentivisation occurring not just to provide data that had already been obtained, but to actively seek out new targets."

Another point of controversy: the team decrypted passwords it had obtained through data dumps. Making your actual password searchable, rather than a scrambled set of characters, was obviously attractive to users. If one of your accounts was compromised, it meant you could see exactly which password was affected and change any accounts using the same character string. The practice meant the database was more valuable to hackers too, however. LeakedSource was arguably doing the heavy lifting, making it a cinch for hackers to set up a script and gain access to some of their victim's other accounts.

LeakedSource was also valuable as a journalistic tool. In its relatively short life span (the site first gained traction in late 2015), the site provided access and context to data breaches at AdultFriendFinder, Myspace, Twitter and the Russian internet giant Rambler.ru.

The site's closure, should it be permanent, will likely provoke a discussion around the ethics of hack disclosures. LeakedSource isn't the only site where you can check to see if your personal information has been compromised. Have I Been Pwned, for instance, lets you easily check if you email address or username was ever exposed in a hack. Its creator, Hunt, takes a vastly different approach to LeakedSource though. The site "never makes any sensitive personally identifiable data available to anyone, not even the legitimate owners of the data." Less valuable perhaps, but it stops sensitive data from falling into the wrong hands.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
449 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget’s guide to Home Entertainment

Engadget’s guide to Home Entertainment

View
The Morning After: Google finally reveals the Pixel 4

The Morning After: Google finally reveals the Pixel 4

View
Vatican launches $110 'click to pray' wearable rosary

Vatican launches $110 'click to pray' wearable rosary

View
The (Day)dream is over: Phone-based VR is well and truly dead

The (Day)dream is over: Phone-based VR is well and truly dead

View
There's now a Harry Potter subscription service

There's now a Harry Potter subscription service

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr