The data breach aggregator and lookup service LeakedSource has gone offline following what appears to have been a police raid.
On 27 January, someone announced on an online forum post that police had raided the website’s owner and shut down many of its networking resources.
The forum post is inaccessible to most members of the public. However, an excerpt from the post is available on Pastebin. It reads as follows:
“Yeah you heard it here first. Sorry for all you kids who don’t have all your own Databases. Leakedsource is down forever and won’t be coming back. Owner raided early this morning. Wasn’t arrested, but all SSD’s got taken, and Leakedsource servers got subpoena’d and placed under federal investigation. If somehow he recovers from this and launches LS again, then I’ll be wrong. But I am not wrong.”
There’s been no official word from anyone associated with LeakedSource so far.
Overall, I don’t think anyone is too surprised by LeakedSource’s disappearance.
While in operation, the service maintained an ethical justification for what it did on rocky ground.
On the one hand, there were many users who employed LeakedSource to receive notifications of data breaches, verify if their credentials had been exposed, and change their usernames/passwords if they found their information leaked online.
At the same time, security researchers referred to the service to stay on top of the latest security events.
The leaked records also helped provide insight into what passwords users were choosing for their accounts, at times terrifying insight which no doubt inspired security awareness training at dozens and dozens of organizations.
But there was a dark side. Call it an “unintended but expected” consequence.
Namely, anyone who paid for a LeakedSource subscription could use the service to access billions of other people’s login credentials. That of course means bad actors could have abused their subscription to look up people’s details and try to authenticate them across various web services.
Perhaps law enforcement grew tired of these murky ethics and decided to take action. That’s assuming a raid even occurred at all.
Love or hate it, the security community will feel the absence of LeakedSource.
There’s a chance the site could resurface. But if it does, there’s no guarantee it will take on the same role as its progenitor by cracking password hashes and releasing password data. That could be a good thing. Though at this point, it’s just too early to tell.