March 22, 2024

The nonprofit organization that supports the Firefox web browser said today it is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by KrebsOnSecurity forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years.

Mozilla Monitor. Image Mozilla Monitor Plus video on Youtube.

Mozilla only began bundling Onerep in Firefox last month, when it announced the reputation service would be offered on a subscription basis as part of Mozilla Monitor Plus. Launched in 2018 under the name Firefox Monitor, Mozilla Monitor also checks data from the website Have I Been Pwned? to let users know when their email addresses or password are leaked in data breaches.

On March 14, KrebsOnSecurity published a story showing that Onerep’s Belarusian CEO and founder Dimitiri Shelest launched dozens of people-search services since 2010, including a still-active data broker called Nuwber that sells background reports on people. Onerep and Shelest did not respond to requests for comment on that story.

But on March 21, Shelest released a lengthy statement wherein he admitted to maintaining an ownership stake in Nuwber, a consumer data broker he founded in 2015 — around the same time he launched Onerep.

Shelest maintained that Nuwber has “zero cross-over or information-sharing with Onerep,” and said any other old domains that may be found and associated with his name are no longer being operated by him.

“I get it,” Shelest wrote. “My affiliation with a people search business may look odd from the outside. In truth, if I hadn’t taken that initial path with a deep dive into how people search sites work, Onerep wouldn’t have the best tech and team in the space. Still, I now appreciate that we did not make this more clear in the past and I’m aiming to do better in the future.” The full statement is available here (PDF).

Onerep CEO and founder Dimitri Shelest.

In a statement released today, a spokesperson for Mozilla said it was moving away from Onerep as a service provider in its Monitor Plus product.

“Though customer data was never at risk, the outside financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla wrote. “We’re working now to solidify a transition plan that will provide customers with a seamless experience and will continue to put their interests first.”

KrebsOnSecurity also reported that Shelest’s email address was used circa 2010 by an affiliate of Spamit, a Russian-language organization that paid people to aggressively promote websites hawking male enhancement drugs and generic pharmaceuticals. As noted in the March 14 story, this connection was confirmed by research from multiple graduate students at my alma mater George Mason University.

Shelest denied ever being associated with Spamit. “Between 2010 and 2014, we put up some web pages and optimize them — a widely used SEO practice — and then ran AdSense banners on them,” Shelest said, presumably referring to the dozens of people-search domains KrebsOnSecurity found were connected to his email addresses (dmitrcox@gmail.com and dmitrcox2@gmail.com). “As we progressed and learned more, we saw that a lot of the inquiries coming in were for people.”

Shelest also acknowledged that Onerep pays to run ads on “on a handful of data broker sites in very specific circumstances.”

“Our ad is served once someone has manually completed an opt-out form on their own,” Shelest wrote. “The goal is to let them know that if they were exposed on that site, there may be others, and bring awareness to there being a more automated opt-out option, such as Onerep.”

Reached via Twitter/X, HaveIBeenPwned founder Troy Hunt said he knew Mozilla was considering a partnership with Onerep, but that he was previously unaware of the Onerep CEO’s many conflicts of interest.

“I knew Mozilla had this in the works and we’d casually discussed it when talking about Firefox monitor,” Hunt told KrebsOnSecurity. “The point I made to them was the same as I’ve made to various companies wanting to put data broker removal ads on HIBP: removing your data from legally operating services has minimal impact, and you can’t remove it from the outright illegal ones who are doing the genuine damage.”

Playing both sides — creating and spreading the same digital disease that your medicine is designed to treat — may be highly unethical and wrong. But in the United States it’s not against the law. Nor is collecting and selling data on Americans. Privacy experts say the problem is that data brokers, people-search services like Nuwber and Onerep, and online reputation management firms exist because virtually all U.S. states exempt so-called “public” or “government” records from consumer privacy laws.

Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, and bankruptcy filings. Data brokers also can enrich consumer records with additional information, by adding social media data and known associates.

The March 14 story on Onerep was the second in a series of three investigative reports published here this month that examined the data broker and people-search industries, and highlighted the need for more congressional oversight — if not regulation — on consumer data protection and privacy.

On March 8, KrebsOnSecurity published A Close Up Look at the Consumer Data Broker Radaris, which showed that the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

On March 20, KrebsOnSecurity published The Not-So-True People-Search Network from China, which revealed an elaborate web of phony people-search companies and executives designed to conceal the location of people-search affiliates in China who are earning money promoting U.S. based data brokers that sell personal information on Americans.


29 thoughts on “Mozilla Drops Onerep After CEO Admits to Running People-Search Networks

  1. RipNoLonger

    Good for you, Brian. And thanks.

    I prefer Firefox because of its non-dependence on google’s chromium and its vast ecosystem of helpful add-ons. But when it starts to make these types of very sketchy business associations it tarnishes its reputation highly. Trust is hard to earn back.

    Reply
    1. Catwhisperer

      Chromium is available as an open source project. Which is to be differentiated from Google Chrome which is Google’s proprietary browser based on Chromium.

      Reply
      1. G.Scott H.

        Chromium is still very Googley, which explains why there are ungoogled versions of chromium. Mozilla has received significant funding from Google. Talk about sketchy business associations.

        I think very few knew how bad Onerep was. Brian Krebs is doing the world a great service in these types of investigative reports. Bravo to Mozilla for heading the writing on the wall provided by Mr. Krebs rather than the more typical sticking to the guns no matter how wrong something may be.

        Reply
      2. Mwah

        Oh you poor thing, you haven’t learned about blobs yet.

        Chromium particularly was caught installing Google blobs after the user installation, and then turning on people’s microphones. Google said this was a mistake and an accident, and people just accept that. As if programming and hiding a secret proprietary blob into an open source project, installing without user consent, and then spying on people is just a “whoopsie”.

        Alas, people move on and act like Google is their friend. Chromium is not your friend until it can be compiled with 0 Google “blobs”.

        Reply
        1. Mahhn

          New movie (remake); Attack of the Blob. Just when humans thought they had beaten it, they realized it was goog inside all along, and the world was already being devoured.

          Reply
      1. Catwhisperer

        When I installed Vivaldi a few months back to try it out, with the hour I was seeing traffic to .ru domains. I could only tell because I run Etherape continuously. What is up with .ru domains in the background? No thanks. Neither Chromium nor Firefox do that kind of background connectivity to .ru domains. Nor to .cn domains for that matter, unless actually browsing there.

        Reply
        1. Tibor G Balogh (KG6AFF)

          I found dd-wrt [network devices replacement operating system linux] very helpful for refusing connections to anywhere I don’t want and shaping connections to rules i create…
          like
          address=/.ru/127.0.0.0
          and
          iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
          and
          much much more to list here…
          -tibor

          Reply
          1. Fr00tL00ps

            Exactly this. If you are anxious enough to closely monitor all your own personal network traffic, you’d be remiss not to implement a separate device/container and actively refuse or shape suspicious connections. pFsense, OPNsense and NethServer are also good open source options.

            Reply
    1. Anon

      Opera, the one that has been owned by a Chinese company for a while now? That Opera?

      Reply
    2. mealy

      This has really nothing to do with the browser offered by the same company.
      People making loose associations tend to be scat artists.

      Reply
    1. mealy

      This isn’t a browser security issue or story. It’s important to realize that up front here.

      Reply
  2. Marcus Aurelius Tarkus

    Brave? Seriously, is there any even marginally-safe browser left?

    Reply
    1. RobFree

      Brave is great but doesn’t work with every site. They are too secure in my opinion. But if you’re okay with site breakage, definitely worthy of the pains to follow. Tried it. Don’t like it.

      Reply
  3. John

    Another stain on Mozilla. But then again they benefit mostly to their deal with Google on search. Can’t get much worse then that. Just shows that money drives all decisions.

    Reply
    1. mealy

      * You can easily change the default search engine to DDG or whatever you like.
      I’m not sure if goog (#1 rated search, like them or don’t) as a default is “evil”?

      It’s unfortunate but not a result of systemic corporate moral failing per se.
      They removed any association with this service (unrelated to either browser)
      upon notified, and granted there is room to criticize the diligence overall here,
      but falling for 3rd party vendors’ deceptions isn’t exactly a unique problem.
      How many 3rd parties related to alphabet could be exposed as scams?
      n > 1

      Reply
      1. RobFree

        DDG is known to also track and sell Data. They are no better. Using a good DNS query is where you can start. AdGuard helps as well. So no matter what browser, you have to do a little extra work. Quad9 is making waves. Look it up.

        Reply
        1. mealy

          I’d take some issue with saying DDG’s data collection and alphabet’s are 1:1 similar.
          I don’t think that’s possible even as your point is made.

          Reply
  4. RK

    So, do I get this right? The guy started dozens of people search networks, then started a paid service to remove people’s names from them? Is that his scam, or part of it?

    Reply
  5. RobFree

    So the text in the photo of “Why We Do What We Do” – “…after hearing some trully scary stories of people being stalked after their private information…”

    I do not know of a word spelled “trully” and right off that typo is legit sketchy. Like if this guy was serious, proofread your campaign material dude. The way that entire message reads, it’s like someone who barely understand the English language. Total scammer/cheater language. Trully.

    IT’S TRULY.

    Reply
  6. Peter Aretin

    Whipping up paranoia about people’s “privacy” has become a cottage industry in itself, targeting many of the same folk who disseminate endless personal details on social media. I think this privacy obsession preys on people’s deep seated fears that Mom will find out how much porn they’ve been viewing. As long as it doesn’t enable stealing money directly from my bank account, I don’t give a rodent’s arse whether anyone knows what websites “I” have visited. If they think this knowledge is valuable, they’re probably wrong.

    Reply
    1. mealy

      To 3rd parties who are less interested in prudence as they are your financial details,
      it’s valuable to know which ads to offer to you in selling your “profile” to advertisers.
      If you’re a high worth individual or known to make big purchases, doubly/trebly.
      There are several free ways to avoid giving away (some) such information to *.*
      Either way would you rather more people have 100% access to your doings, or fewer?
      It’s a strange argument that because you have nothing to hide that no one else might.

      Reply
      1. Fr00tL00ps

        “It’s a strange argument that because you have nothing to hide that no one else might.”

        You know it is concerning when I discuss digital privacy with people who are tech averse/illiterate and they take this exact stance. Problem is, every one has something to hide, whether they know it or not.

        Here are 2 ‘privacy’ scenarios I share, in hopes it is enough for them to reconsider their position;

        1. You are in a hotel bedroom at night about to have a shower before bed. You glance at the windows, it’s dark out, so you can’t see anything outside. Do you shut the curtains before you undress? … Sure, there will be some who don’t care who see’s themselves naked, but the vast majority of the population do care and WILL shut the curtains. Even IF there is no one looking.

        2. You have finished your shower and there is a knock on the door. It’s late and your not expecting guests. You look to see who it is and suddenly someone puts their hand over the peephole. Do you open the door? … Again, some will open the door but most WILL put the chain/double latch on and call reception.

        Notice the behaviour of the second scenario when someone feels threatened by a ‘perceived’ risk. They actively seek to protect themselves, it’s human nature. Unless they have been a victim, they will not change their behaviour. I’ve consulted many cyber victims, both corporate and private over the years, ranging from ransomware, identity theft and a myriad of scams/fraud and the one thing that remains constant, is the behaviour change after the fact. If people don’t want to change their behaviour, you can’t force them; until they become the victim, then it is too little too late. Here’s hoping OP never becomes the victim.

        Reply
  7. punk rock warlord

    Shocked. I’m shocked to find another industry using the credit reporting agency (CRA) technique of both creating an enormous problem while also developing product to sell to help ‘fix’ the enormous problem.
    I.e. Aggregating the mother of all personal info used to defraud retailers et al. , then selling fraud detection and management services to retailers et al.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *