A site that's been warning the public about data breaches might actually be doing more harm than good.
Enter LeakedSource, a giant repository online that can potentially make hacking easier. Your email address and the associated Internet accounts -- including the passwords -- is probably in it.
In fact, the giant repository is made up of stolen databases taken from LinkedIn, Myspace, Dropbox, and thousands of other sites. It bills itself as a data breach monitoring site and for months now, it's been collecting details on hacks, both old and new, and alerting the media about them.
But the repository also features something that might be illegal: a search function that can look up all the stolen information. It’s also why LeakedSource is probably becoming a tool for novice hackers.
A hacking resource
For US$2 a day, a subscriber at LeakedSource can enter an email address or username and find details on what internet accounts it was used to registered with. Not only that, LeakedSource will crack the associated passwords when it can.
The search function has made it popular on HackForums.net, what one Reddit user described as a breeding ground for script kiddies. A number of threads at the forum mention how LeakedSource can be used for hacking.
One user, for instance, is offering an ebook for $8 on that very topic. Others are offering advice on how to use LeakedSource as a way to hack a social media account or to dox someone and dump the person’s files online.
“Ever wanted to be an elite hacker and show off?” wrote one user. “Here’s a small tutorial on how to break into a Youtuber’s account using a database looking up tool called: LeakedSource.”
On Monday, LeakedSource declined to answer questions about the legality of the site. The operators behind the service remain anonymous, but they say they don't condone any hacking.
However, as far back as October 2015, LeakedSource appears to have begun promoting itself on HackForums.net. When asked about this over email, LeakedSource didn't directly respond.
Instead, the site's operators claim that all the information they store and index is already available on the internet.
"Before people start pointing fingers at us, anyone is free to download well over a billion records from the clear web," LeakedSource said in an email that included links to stolen databases taken from Myspace and LinkedIn.
The site has also said it's not responsible for any data breaches. It merely collects the stolen databases, often by searching through the Dark Web, or by receiving them from anonymous hackers, LeakedSource has said.
"Many of (the hackers) like what we do, some want to draw publicity to themselves and others don't want their 'enemies' to be able to profit off selling data," it said in an earlier email.
But even as it may not have been involved in any hacking, legal experts say the site's activities can still be seen as a crime.
Posting stolen passwords on the site can be considered a form of wiretapping, said Susan Freiwald, a law professor at the University of San Francisco. The Electronic Communications Privacy Act prohibits the dissemination of any device that can be used for "surreptitious interception."
She questioned why a site -- that claims to protect users' data -- offers a search function that can crack stolen passwords or look up someone else's information.
"If the whole goal of the site is to warn me, it should never give out my password," she said. "I think this is very suspicious. It doesn't make sense."
The site is essentially making money off of people's stolen data -- and potentially giving hackers a useful way to target victims with what services and user screen names they use, added Christopher Dore, a lawyer with the Edelson law firm.
"They are taking this too far, and monetizing this in a way that's dangerous for consumers," he said. Government regulators, including the Federal Trade Commission, might take notice and want to intervene, he added.
Internet users don't necessarily need to panic. Many of the databases stored on LeakedSource are years old and might pertain to internet accounts they no longer in use.
For example, the LinkedIn database on file comes from 2012, and the company has already reset the stolen passwords affected. In other cases, the databases on file only contain hashed passwords that are almost impossible to crack.
But even so, that doesn't mean the stolen data is useless. The biggest danger is that less tech-savvy users are re-using the same passwords across multiple internet accounts and forgetting to change them.
Internet users concerned with their privacy appear to be alarmed. After LeakedSource became widely publicized in the media, it was overwhelmed with user requests, wanting their information to be taken down from the site.
"Our Contact form volume has increased by a multiple of 100 from removal requests and we are unable to read other potentially important messages," LeakedSource said at the time.
Users can still remove themselves from the LeakedSource site by visiting the site's removal page.
When warning the public about data breaches, there's a danger of posting too much information, said Troy Hunt, an Australian software architect who runs a breach monitoring service called Haveibeenpwned.com. His site routinely collects new databases as well.
Unlike LeakedSource, however, his site doesn't offer any paid search to look up passwords, and for good reason. "As much as there’s potential to improve the state of online security, there’s also the risk of making it worse," he said in an email.
His own site continues to evolve, to prevent Haveibeenpwned from revealing sensitive details on users.