Linkedin, Twitter, MySpace, and many more social media sites have been reportedly hacked in recent weeks… or have they? All roads to these hacks lead to one site, LeakedSource. So what’s going on here? LeakedSource says “all data offered is derived from public sources automatically. LeakedSource does not verify or evaluate each piece of data, and makes no warranties or guarantees about any of the information offered.” They claim that “this site’s goal is to make it easy to find where your data has been released publicly… We are not responsible for any data leaks, we just find them for you and our scripts make them searchable.” LeakedSource searches the regular and deep web for possible leaks. If they find leaked databases in the deep web, they will pay for them. They admit that some of the hacked sites may no longer be active and that the databases may come from hacks that happened years ago (which is probably why they can buy these for a low price as they are useless to carders). “We’re scavengers, not hackers — we don’t get to pick and choose.” They now claim to have almost 2 billion records in their database. Here are just a few listed on their site.
As a public service, they will let you search for your own records in this database. You can search by your username, IP address, email address, first and last name, or phone number. The search will tell you what site your information was hacked from and what information is available. They will not give you the exact information. If you want that, you have to be a subscriber. This will cost you about $30 a month, payable in Bitcoins or PayPal.
You are advised only to “search information about yourself, or those you are authorized in writing to do so. Searching information on others is strictly prohibited.” Really? Then why would I pay for unlimited use. Am I only going to continually search to see if new data on me has just been hacked? I doubt it. There are other scenarios that are far more likely.
To give you an example, I went to LeakedSource and typed in the name of someone I knew, although I did not know him well. I chose him because I figured he was not concerned much about online security; i.e. his Facebook page was open to the public. LeakedSource found two sites that had been hacked and had data under this name. If I paid to subscribe, I could get the person’s “email, username, hash, possible plaintext password, firstname, lastname, and birthday.” They gave me the two website names he had supposedly had his information hacked from. One of the websites was a dating site. Well, this was a little odd since the guy I searched for was married. Of course, there could be other people with the same name, even though the name was somewhat unique. I needed to narrow down my target, which I did by getting his email address. I got this by tracing him through his company website. When I typed the more specific email address in, I still found that he was on the same dating site. He was also listed on MySpace.
I suppose I could have paid to subscribe to LeakedSource to find the password to this dating site and verify if this was, indeed, him. I could also use the more difficult approach of trying to hack the site’s password or his email password, which I suppose I could have done. I did not. However, if, for some reason, I really wanted to expose this person, I probably would have paid for this extra information. I would then be free to log onto the site and see what he had been up to. I could also change his contact details to take full control of his account. Remember, however, I wouldn’t even have known he was on the site if it weren’t for LeakedSource. If I were a hacker, I could have used some extortionist tactic on him (pay me or I’ll tell your wife and Facebook contacts). It would return my investment in the information I paid LeakedSource for. Then again, if I were his wife and I found this information, things could have gotten a bit tense at home. But the point again is that it all started from LeakedSource.
LeakedSource may try to discourage individuals from searching for information on others, but it does not discourage businesses from doing so. In fact, it encourages it. LeakedSource offers what it calls an “API for business use to help businesses determine which of their users can be found in leaked databases. This information can be important to cybersecurity companies and anyone who provides an online service to help protect their customers.” The pricing is determined on how many searches a company may want to perform and ranges from $1,000 to $100,000 a month. Through the use of an API key, they can probably keep track of the number of searches from a certain account. Still, they don’t really know who this account belongs to. If I were a hacker trying to generate a list of email addresses to, for example, sell to spammers, LeakedSource would be a good place to go. With the use of wildcards, I could search for all available gmail or yahoo addresses.
But why should I pay for any of this when I could get it for free? That’s right. LeakedSource is almost a complete copy of a free ‘find if you’ve been hacked’ site called, ‘;–have i been pwned? (taken control of/owned/hacked). Here, I searched for the same guy who I searched for at LeakedSource and found the MySpace hack and one other retail site that was hacked. Some hacked sites had access to their data restricted because “certain breaches are particularly sensitive in that someone’s presence in the breach may adversely impact them if others are able to find that they were a member of the site.” These include dating sites like Ashley-Madison. You can get this information but need to subscribe to the site by giving them your email address. This stops others from getting hold of this sensitive information and blackmailing you or otherwise degrading your reputation. The big difference (and it’s a very big difference) between ‘have I been pwned?’ and LeakedSource is that ‘have I been pwned?’ does not have passwords and other data that you can pay for. You only get the information that passwords, for example, were included in the hack. In other words, it actually seems designed to help people who are worried that they, personally, have been hacked. You cannot use the service to gather damaging information on other people. Other sites, like BreachAlarm, take this privacy matter even further, only allowing you to search for your own email address.
In the final analysis, LeakedSource is no different from other sites that let the average user see if they’ve been the victim of a hack. However, for hackers, stalkers, and insecure spouses, it’s a much better tool.
LeakedSource has apparently developed a relationship with some Russian hackers who apparently feed them whatever they happen to dredge up. These hackers, Tessa88 and peace_of_mind, have sites on deep web markets that sell such information.
By acquiring the information from old hacks and publicizing it, LeakedSource gets a great deal of attention and free advertising. Such publicity makes it appear as if these hacks are new. Some may be, but most are not. Old or not, they can still be useful to hackers. The information in these hacks can be used to attack certain high profile individuals who have not changed their passwords since those hacks occurred. This is how Mark Zuckerberg was hacked.
My guess is that many of these celebrity hacks could originate with LeakedSource. Simply find a celebrity in the database, pay for the password, and test it to see if it still works. The OurMine Team which hacked Zuckerberg admits to hacking a number of other high profile targets. They have been known to ask for ransom which would more than pay for their investment. Their website insists that they are a ‘white hat’ hacker team and will be happy to check for vulnerabilities in your (or other) accounts. They will even scan your corporate network for $5,000. The question is whether you really want them on your network. Nothing would stop LeakedSource from doing the same thing if they wanted to. I only know that if I were a hacker or a stalker, one of my first stops would be LeakedSource.