LeakedSource’s Demise: Lessons Learned (InfoRiskToday)

Paid breach notification site LeakedSource, which gained notoriety for selling access to stolen credentials, has disappeared.

“I don’t think it’s a surprise twist, I think it’s the inevitable conclusion that we knew was going to come – it was just a question of when it would come,” says Australian developer Troy Hunt, who runs the free Have I Been Pwned? breach notification service. “We’re not sure yet whether law enforcement took them down, or someone else hacked them, or whether they went to ground for other reasons. What we do know is that it definitely disappeared. They’re off the face of the earth.”

The takedown makes for an interesting comparison between LeakedSource and Hunt’s service. Notably, his free service only lists email addresses contained in public data dumps. Hunt says he’s been careful to avoid ever distributing passwords, as well as to handle information from sensitive data breaches with extreme discretion – now only emailing affected users directly and not publishing that information.

In an audio interview at the RSA Conference 2017 in San Francisco, Hunt also discusses:

  • The apparent demise of LeakedSource and a report into a potential administrator’s identity;
  • Why Hunt destroyed data a hacker had obtained from toymaker VTech;
  • Questions of jurisdiction when it comes to notifying breach victims;
  • Balancing data breach notifications with corporate accountability.

Hunt is an author for tech learning site Pluralsight and a Microsoft regional director and “most valued professional” specializing in online security and cloud development. A frequent speaker at conferences around the world, also runs workshops focusing on how to build more secure software within organizations. He previously served in a variety of technology architecture roles at Pfizer and was a technical leader for ICE Interactive and a senior developer at Proxicom.

Source: SANS ISC SecNewsFeed @ February 24, 2017 at 01:48PM