January 15, 2018

Canadian authorities have arrested and charged a 27-year-old Ontario man for allegedly selling billions of stolen passwords online through the now-defunct service Leakedsource.com.

The now-defunct Leakedsource service.

On Dec. 22, 2017, the Royal Canadian Mounted Police (RCMP) charged Jordan Evan Bloom of Thornhill, Ontario for trafficking in identity information, unauthorized use of a computer, mischief to data, and possession of property obtained by crime. Bloom is expected to make his first court appearance today.

According to a statement from the RCMP, “Project Adoration” began in 2016 when the RCMP learned that LeakedSource.com was being hosted by servers located in Quebec.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Rafael Alvarado, the officer in charge of the RCMP Cybercrime Investigative Team. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

In January 2017, multiple news outlets reported that unspecified law enforcement officials had seized the servers for Leakedsource.com, perhaps the largest online collection of usernames and passwords leaked or stolen in some of the worst data breaches — including three billion credentials for accounts at top sites like LinkedIn and Myspace.

Jordan Evan Bloom. Photo: RCMP.

LeakedSource in October 2015 began selling access to passwords stolen in high-profile breaches. Enter any email address on the site’s search page and it would tell you if it had a password corresponding to that address. However, users had to select a payment plan before viewing any passwords.

The RCMP alleges that Jordan Evan Bloom was responsible for administering the LeakedSource.com website, and earned approximately $247,000 from trafficking identity information.

A February 2017 story here at KrebsOnSecurity examined clues that LeakedSource was administered by an individual in the United States.  Multiple sources suggested that one of the administrators of LeakedSource also was the admin of abusewith[dot]us, a site unabashedly dedicated to helping people hack email and online gaming accounts.

That story traced those clues back to a Michigan man who ultimately admitted to running Abusewith[dot]us, but who denied being the owner of LeakedSource.

The RCMP said it had help in the investigation from The Dutch National Police and the FBI. The FBI could not be immediately reached for comment.

LeakedSource was a curiosity to many, and for some journalists a potential source of news about new breaches. But unlike services such as BreachAlarm and HaveIBeenPwned.com, LeakedSource did nothing to validate users.

This fact, critics charged, showed that the proprietors of LeakedSource were purely interested in making money and helping others pillage accounts.

Since the demise of LeakedSource.com, multiple, competing new services have moved in to fill the void. These services — which are primarily useful because they expose when people re-use passwords across multiple accounts — are popular among those involved in a variety of cybercriminal activities, particularly account takeovers and email hacking.

31 thoughts on “Canadian Police Charge Operator of Hacked Password Service Leakedsource.com

  1. Todd

    Is it yet known, or speculated, if he was the original source of the hacks or merely a middle-man “reselling” the credentials?

    1. Anon

      A reseller, in no uncertain terms – especially within the context of the more severe breaches like LinkedIn, MySpace.

  2. IRS iTunes Card

    Where is the excuse of Jordan Evan Bloom having autism ?

    1. Anonymous

      The username was probably intended to discriminate against those with autism spectrum disorder.

  3. Somedude

    “…made hundreds of thousands of dollars selling personal information”
    Kind of like how the credit reporting companies sell my info to marketers without my permission, who then send me snail mail YOU ARE PRE APPROVED credit card offers pretty much every day, but they get away with it. Still, hope this guy gets an appropriate sentence instead of a slap on the wrist. Hope even more that the credit agencies are brought to task for them doing basically the same thing.

    1. hal

      check out OptOutPresScreen.com

      You can opt out of receiving credit card solicitations for a period of 5-years (or permanently).

      This at least keeps the big 3 from sending your info to credit lending agencies. That said, you may still receive solicitations if your info was acquired by other means.. but it should greatly reduce the number. I did it, and I have received less of them.

  4. loop

    people want to earn decent money,and want to live decent life.
    but we should ask if its right to do with other people suffering?
    but are they really suffer if they dont take hit,but the credit card company himself.

    1. Joaquin Tall

      “…but are they really suffer if they dont take hit,but the credit card company himself.”

      In the final analysis, it is the consumer at large that always pays for cyber crime with higher fees/prices from the affected banks, credit card companies, retail outlets, etc.

      1. maggotification

        Besides the fact that it’s the consumers who end up paying for it, there’s also the fact that the credit card company is owned by people.

        It’s owned by people, it’s run by people, it pays peoples wages. You cannot steal from a company, you’re stealing from the people who should rightfully own that money.

        1. Quinn

          “Corporations are people too, my friends!” – Mitt Romney LOL please give me a break. I’ll start defending credit card companies when they start taking online security as seriously as they should be in this day and age.

    1. Don Clifton

      lol I always picture that scene from the Untouchables when they come down the hill charging across the bridge.

    2. ferrari

      i was in prison in canada,
      for fraud reason.
      i did emt transfers i got logs from my connection.
      i m not sure if money transfers people do work in canada.
      i think over usa more jobs,me personally never worked with usa,things.
      i was carder

  5. ferrari

    i think old guys who use to do carding business are not so active anymore,and they dont do fraud jobs much anymore…i mean related with transfers. money transfers.
    i think people dont work with this anymore !!
    im kinda lost many good guys contacts too.
    but i think they dont work with transfers,anymore.
    too much security i think people move in to other fields of business and money making area:I

  6. Craig

    Correct me if I am wrong, but weren’t all those accounts and passwords dumped onto the “public domain” internet? Couldn’t I hitup usenet and download most of them right now? So all this guy did was to organize already public information and then charge people to access that organization? Creepy maybe, but considering we let companies like Equifax and Insurance companies get away with it all the time, illegal? At least this guy was secure with the unauthorized information he was peddling.

      1. Bob

        Possession of stolen data or formerly confidential information has been dealt with by the Supreme Court of Canada and is not illegal to have therefore not illegal to sell.

        …”the property must be capable of being taken or converted in a manner that results in the deprivation of the victim. Confidential information does not fall within that definition. ”

        Making or having a copy of such data doesn’t deprive the original owner.

        1. I

          The case you’re quoting (R. v. Stewart) is 30 years old, predates the Internet, and deals with an entirely different section of the Criminal Code.

          Let’s all leave the lawyering to the lawyers.

      1. Joe

        I am in awe once again of Canadians. Your apology shows your true loyalty and patriotism. Unlike what we have here south of the border.

        Thank YOU!

  7. James Brian

    “Since the demise of LeakedSource.com, multiple, competing new services have moved in to fill the void.”

    Some names?

  8. KrebsBrian

    I helped develop one of the services you hinted to at the end of the article (snusb***), and as far as we’ve been able to discover with the help of a legal council, there’s nothing illegal about database lookups themselves. As long as the site has zero involvement with the criminals that got access to the database in the first place its well protected under the first amendment, as re-affirmed by a number of supreme court cases relating to the broadcasting of illegally obtained recordings, etc.

    I’m not familiar with Canadian law, but did your sources mention anything about the law he was charged under, or if it was related to their exclusive access to the ESEA dump?

    1. Brian Fiori (AKA The Dean)

      Keep in mind, the lawyers don’t serve the time with you, if they are wrong in their assessment.

      I might also suggest you remember if “Well, it isn’t illegal” is your best answer to why you engaged in clearly questionable behavior, what you are doing is probably unethical.

    2. your next

      Sounds like your up next my friend . Do you have a nice car you can pose with ?

  9. Tilesbay

    I love it when Canadian police on horseback catch cybercriminals!!

  10. Gigi

    Sorry, KrebsBrian, here’s how you find out that what you did is/was illegal. Case law is made daily and is very fluid, and highly dependent on local jurisdictional interpretation and implementation. Your situation will become the basis for case law if the powers that be so decide. So:
    1) You seek legal counsel for said planned/current activity: you are told “yes”, you have engaged in a potential criminal activity or have incurred potential liability. You need to hire a lawyer now to mitigate your problem; or
    2) You seek legal counsel for said planned/current activity: you are told “probably not, but we can’t be certain – you are at risk”. You need to hire a lawyer now to mitigate a potential problem. (Lawyers don’t get paid for telling you “No, you don’t have a problem” – at least not for very long); or
    3) You end up the subject of an inquiry, investigation, lawsuit, charge/indictment, arrest and need to hire a lawyer at exorbitance hourly rates to save your ***; or
    4) Years and thousands of $$’s later a judge/jury or a prosecutor deal resolves the first round of the “problem” at the lowest jurisdictional level. Your case may or may not have established new case law and be guilty or not guilty (at least temporarily) depending on;
    5) How many rounds of political and jurisdictional levels (new agencies, new lawsuits, new victims, appeals, probationary terms, and so on) your case (or other simultaneous cases like it) occur and;
    6) At some point, you run out of money, time, or energy or the powers that be nail you.

  11. Kyle Warner

    I am giving an email that is not current, because I wish to comment on here. My email was hacked several years ago. I was locked out. Since then, every time I have tried to open an email in various locations, I am locked out, before I can use it. Could this being locked out have anything to do with this kind of criminal activity? Could there be a crime BY law enforcement, designed to OBSTRUCT JUSTICE and rob me of my civil rights? Are there any safeguard against such a thing. Please comment, if you can.

Comments are closed.