Naked Security

Questions linger as data breach trading site LeakBase disappears

If account credentials stolen during a data breach are posted on public servers, is it ever legitimate business to make money trading access to this data?

It sounds dubious, but this is precisely what a small group of websites started doing two years ago to almost no applause.

The claim was that turning breaches into a business would aid notification because it would help advertise them quickly once the data appeared online somewhere, usually on the dark web.

The counter argument was that low-level connected criminals less savvy with dark web sources would also be enthusiastic subscribers, which would turn sites into databases fuelling more online crime.

Now with the news that a prominent name in the sector, LeakBase.pw, went silent last weekend, it appears breach-as-a-service might be on its last legs.

On 2 December LeakBase started redirecting to Troy Hunt’s campaigning breach site Have I Been Pwned? (HIBP), confirming an earlier message from the site’s Twitter feed that something was up:

This project has been discontinued, thank you for your support over the past year and a half.

Which, to anyone who thinks that selling credentials stolen during data breaches is not a legitimate activity in the first place, will count as a good day for security.

Earlier this year, another breach site called LeakedSource disappeared with identical suddenness, reportedly after being raided and having its servers seized by the FBI.

This should have cleared the way for LeakBase to dominate the market but now it too has succumbed to unspecified troubles. The nature of those troubles, which ironically started in April when the site was itself breached, defaced, and subsequently changed ownership, still interests a lot of people.

According to security blogger Brian Krebs, one of the site’s founders may have links to an illegal dark web drugs website, Hansa, taken over by Dutch police in July in order to covertly monitor its customers and users.

Not to mention that handling breached data was always likely to attract the attention of police, Troy Hunt of HIBP told another news site.

Is their demise a simple cause for celebration?

It might appear so if it weren’t for the knack some of these sites had of discovering unknown breaches, typically old ones nobody knew about. A good example was the 2016 Dropbox breach affecting 68 million users, which LeakBase brought to light years after it happened in 2012.

Recently, the site was at it again, telling a news site about a breach at Taringa affecting another 28 million users.

As LeakedSource summed it up in 2016:

For the most part, the reason all of these mega breaches are coming to light now is because we’ve gone out and found the data exists.

Clearly these sites were uncovering breaches. The problem was that they sold access to this data, telling journalists about it to attract attention to their services.

Public service sites such as HIBP and Vigilante.pw are the obvious alternatives whose recent success in making unknown breaches public might in any case have rendered the whole idea of paid breach databases obsolete.

What remains unsettling is that something as critical as data breach discovery is being left up to small and under-resourced sites to do off their own bat.  Software vulnerabilities eventually turned into a thriving area of independent research – for profit as well as public service – why can’t the same be the case for data breaches?