December 4, 2017

Leakbase, a Web site that indexed and sold access to billions of usernames and passwords stolen in some of the world largest data breaches, has closed up shop. A source close to the matter says the service was taken down in a law enforcement sting that may be tied to the Dutch police raid of the Hansa dark web market earlier this year.

Leakbase[dot]pw began selling memberships in September 2016, advertising more than two billion usernames and passwords that were stolen in high-profile breaches at sites like linkedin.com, myspace.com and dropbox.com.

But roughly two weeks ago KrebsOnSecurity began hearing from Leakbase users who were having trouble reaching the normally responsive and helpful support staff responsible for assisting customers with purchases and site issues.

Sometime this weekend, Leakbase began redirecting visitors to haveibeenpwned.com, a legitimate breach alerting service run by security researcher Troy Hunt (Hunt’s site lets visitors check if their email address has shown up in any public database leaks, but it does not store corresponding account passwords).

Leakbase reportedly came under new ownership after its hack in April. According to a source with knowledge of the matter but who asked to remain anonymous, the new owners of Leakbase dabbled in dealing illicit drugs at Hansa, a dark web marketplace that was dismantled in July by authorities in The Netherlands.

The Dutch police had secretly seized Hansa and operated it for a time in order to gather more information about and ultimately arrest many of Hansa’s top drug sellers and buyers. 

According to my source, information the Dutch cops gleaned from their Hansa takeover led authorities to identify and apprehend one of the owners of Leakbase. This information could not be confirmed, and the Dutch police have not yet responded to requests for comment. 

A message posted Dec. 2 to Leakbase’s Twitter account states that the service was being discontinued, and the final message posted to that account seems to offer paying customers some hope of recovering any unused balances stored with the site.

“We understand many of you may have lost some time, so in an effort to offer compensation please email, refund@leakbase.pw Send your LeakBase username and how much time you had left,” the message reads. “We will have a high influx of emails so be patient, this could take a while.”

My source noted that these last two messages are interesting because they are unlike every other update posted to the Leakbase Twitter account. Prior to the shutdown message on Dec. 2, all updates to that account were done via Twitter’s Web client; but the last two were sent via Mobile Web (M2).

Ironically, Leakbase was itself hacked back in April 2017 after a former administrator was found to be re-using a password from an account at x4b[dot]net, a service that Leakbase relied upon at the time to protect itself from distributed denial-of-service (DDoS) attacks intended to knock the site offline.

X4B[dot]net was hacked just days before the Leakbase intrusion, and soon after cleartext passwords and usernames from hundreds of Leakbase users were posted online by the hacker group calling itself the Money Team.

Many readers have questioned how it could be illegal to resell passwords that were leaked online in the wake of major data breaches. The argument here is generally that in most cases this information is already in the public domain and thus it can’t be a crime to index and resell it.

However, many legal experts see things differently. In February 2017, I wrote about clues that tied back to a real-life identity for one of the alleged administrators of Leakedsource, a very similar service (it’s worth noting that the subject of that story also was found out because he re-used the same credentials across multiple sites).

In the Leakedsource story, I interviewed Orin Kerr, director of the Cybersecurity Law Initiative at The George Washington University. Kerr told me that owners of services like Leakbase and Leakedsource could face criminal charges if prosecutors could show these services intended for the passwords that are for sale on the site to be used in the furtherance of a crime.

Kerr said trafficking in passwords is clearly a crime under the Computer Fraud and Abuse Act (CFAA).

Specifically, Section A6 of the CFAA, which makes it a crime to “knowingly and with intent to defraud traffic in any password or similar information through which a computer may be accessed without authorization, if…such trafficking affects interstate or foreign commerce.”

“CFAA quite clearly punishes password trafficking,” Kerr said. “The statute says the [accused] must be trafficking in passwords knowingly and with intent to defraud, or trying to further unauthorized access.”


20 thoughts on “Hacked Password Service Leakbase Goes Dark

  1. Larry

    Why else would someone buy passwords except to defraud?
    How funny that the hackers got hacked!

    1. Jon

      Knowing that the valid credentials just submitted to access your site can also be found in a database of previously stolen credentials is relevant context when making an authentication risk decision. It’s as true in fraud as it is in much of security that using the attacker’s intelligence against them can be quite effective. I’d rather see these services available in the light than hidden in the dark.

      1. Kayza

        You don’t need the actual passwords to make an assessment. haveIbeenpwned is a good example of a legitimate way of dealing with the issue.

  2. Michael

    “[…] if…such trafficking affects interstate or foreign commerce.”

    So such trafficking in passwords is not a crime when only INTRAstate commerce is affected? That makes sense. Not.

    1. Tarek

      Actually, it does make sense. The CFAA is a Federal law, not a State law. This separation of jurisdiction is well established in the USA.

      That said, if it’s on the internet and available to the general public, it has already crossed state lines and international borders.

    2. David

      Many federal regulations can do so only if it affects interstate commerce, hence the requirement. Notwithstanding, virtually anything internet will implicate interstate commerce.

  3. IA Eng

    It seems that these take downs are happening more frequently. That is great news. Let’s hope they keep it up.

  4. Questin

    Dutch police is unlikely to use CFAA against people. Shouldn’t Dutch law be more relevant to this them American one? Or are they expected to be sent to usa?

  5. Sam Varghese

    This is a media query, Brian. It was also sent to you on Twitter. How come you have not given any reason for taking down your story on the Shadow Brokers NSA link being a man of Russian origin? Does this mean the source, InGuardians, fed you bogus data? If so, how come a so-called veteran security reporter like you got taken in? And does journalism not teach you to be transparent with your readers?

    1. anonymous

      Sam, why does your profile on itwire link to an Australian lawyer website when it clearly says it’s a personal blog? You appear to be asking questions that are loaded, without any concern as to what the reply is, other than just an opportunity to sling mud. Is that how you define journalism?

  6. trumpthechump

    Sam looks like a dyed in the wool Wikileaks supporter who enjoys trashing Sen. Clinton. No way he’d be a liar, sorry, lawyer

    https://sams-blog.com/

    Spend some time reading Sammie’s personal blog and you’ll see his “journalism.” He believes Communism just “works,” defends Wikileaks to his grave, and is a Trump apologist. Shocking!

  7. buzz

    haveibeenpwned is just as bad as leakbase

    hackers use it to conduct ‘open source recon’

    the site allows any email to be searched (it does not have to belong to the user of the site) and informs the user where to go and look to find the corresponding password.

    there are many hacking blogs, articles and guides that specifically detail this process of stealing someones password which utilise haveibeenpwned as a tool for crime.

    therefore haveibeenpwned is used also for the “furtherance of a crime”

    1. BrianKrebs Post author

      “many hacking blogs, articles and guides that specifically detail this process of stealing someones password which utilise haveibeenpwned as a tool for crime?” Really? Please provide at least one link to back up your claim.

      1. buzz

        I could say… “hacking blogs, articles, guides and software”

        here is an example of software incorporating haveibeenpwned for leveraging stolen information:

        https://spreadsecurity.github.io/2016/08/01/open-source-web-reconnaissance-with-recon-ng.html

        relating article: https://www.codemetrix.net/practical-osint-recon-ng/

        “leverages haveibeenpwned.com API to determine if email addresses are associated with breached credentials, while the other one uses the API to determine if email addresses have been published to various paste sites”

        “All these informations can be useful during next phases of the attack, especially for Social Engineering (we will look into this technique in future articles).”

        As a security researcher myself I’ve always been shocked that other colleagues in the field promote the site given the HUGE flaw in security that allows anyone to search for anyone elses credentials (in this case albeit only where to go and look to find them… then found in less than 20 seconds by anyone with two brain cells) and/or set up API to automate that process for criminals.

        Thanks Troy!

        1. BrianKrebs Post author

          Thanks for following up with the links. For my part, I do not see HIBP in the same league as sites that *sell* this data plus corresponding passwords to anyone. Letting people know their email address shows up in a data dump is a far cry from providing that password dump, helping people crack passwords, etc. Some of these leaked databases are indeed easy to find, but others are far more challenging, and this is as it should be.

          1. buzz

            Haveibeenpwned would provide a great service if it only permitted the owners of the searched emails to find the location of their leaked data.

            there are still many people who are unaware of it’s existence and they are been looked-up their without their knowledge or consent.

            To allow anyone and everyone to search that information is a big problem.

            The fact that criminals use the site as part of a process is a very big problem.

            The most fundamental starting block in any attack (not just in the cyber realm) is the ACQUISITION of a target. You cannot attack something you cannot see.

            Haveibeenpwned lights us all up on the battlefield with huge glowing neon instructions of how to attack us and where.

            1. LongTimeLurker

              HIBP could resolve Buzz’s issue with it very easily by providing the location where the data came from via a maximum of 1 email per associated email address per day instead of to whomever asks. This way the fraudsters stealing people’s data would only have an affirmative – yes it was leaked ‘somewhere’ but they wouldn’t know ‘where’ unless they had already pwnd the target’s email.

  8. I.T. Guy

    “if prosecutors could show these services intended for the passwords that are for sale on the site to be used in the furtherance of a crime.”
    Whoa. Thats a scary proposition if applied elsewhere in law.

Comments are closed.