WeLeakInfo.com, A Domain That Sold Access to Private Data, Has Been Seized by the FBI

We all know that cybercriminals buy and sell stolen personal data every day, and we try to convince ourselves that we've done enough to ensure that our own information doesn't end up in the wrong hands. Although many of us don't know the actual cost, we tend to wrongly assume that crooks pay significant amounts of money for our personal information, but an online service by the name of WeLeakInfo.com revealed that this is not really the case.

Thankfully, enterprising wannabe cybercriminals on a budget will be disappointed to find out that WeLeakInfo is no more. Yesterday, the Federal Bureau of Investigation seized the domain after an international investigation revealed that the website is involved in some illegal activities. The operation involved the cybercrime units of law enforcement agencies in the US, the UK, the Netherlands, and Germany, and in addition to taking the website down, it also resulted in the arrests of a couple of 22-year-olds in Northern Ireland and The Netherlands. Let's see how they ended up in this mess.

What did WeLeakInfo do?

WeLeakInfo used to advertise itself as a data breach alert service. Its homepage was dominated by a rather big search field in which you would enter your username, email address, password, or other personal details. The information you enter would then be checked against a huge collection of databases stolen and leaked during data breaches at various organizations, and if there's a match, the service would let you know. According to WeLeakInfo's Twitter profile (which is still live at the time of writing), the website's operators managed to collect a whopping 12 billion records leaked during no fewer than 10 thousand data breaches. Is there anything morally or legally wrong about the whole operation?

If it's done properly, this sort of service can help people improve their online security. In fact, Troy Hunt, one of the most influential names in the cybersecurity industry, owes a not-insignificant part of his fame to a similar platform called HaveIBeenPwned, which he launched in 2013. Like WeLeakInfo, HaveIBeenPwned lets users check whether their personal details (email address and password in the case of Hunt's service) have been exposed during a data breach. On the face of it, the two services are pretty much identical.

Why, then, did one of them bring its owner a celebrity-like status, while the other put its alleged operators in handcuffs?

Why was WeLeakInfo shut down?

One of the reasons why HaveIBeenPwned is so successful is because it has numerous mechanisms designed to keep data breach victims' privacy as safe as possible. WeLeakInfo, on the other hand, was making money out of it.

The seized website offered three paid subscription plans, which gave customers an all-access pass to the enormous data corpus on which the service was based. In other words, anyone with a few spare dollars in their pocket could go to WeLeakInfo, pay for a plan, and search through and download as many of the 12 billion stolen records as they wanted. The only limiting factor was time, and it depended on the plan the customer picked. The cheapest subscription gave WeLeakInfo customers access to the data for just one day, but there were also plans for a week, a month, and three months.

There are still some unknowns. It's not clear, for example, whether all 12 billion records contained passwords. We also have no idea what portion of the passwords were stored in plaintext. Citing the ongoing investigation as a reason, the law enforcement agencies declined to provide any details on WeLeakInfo's popularity, which means that it's difficult to estimate how big the potential damage is. The police raid can be a pretty good indicator, however, that the danger was very real.

By busting the WeLeakInfo operation, the cybercrime fighting agencies also gave us a good idea of how much the stolen data of unsuspecting internet users actually costs. WeLeakInfo's most expensive plan gave subscribers access to 12 billion stolen records for a total of three months, and it cost $70. This, in case you haven't calculated it yet, amounts to less than $0.80 per day.