Data hoarding site represents the dark side of data breach monitoring

LeakedSource, a giant repository online that stores stolen databases, can potentially make hacking easier

A site that's been warning the public about data breaches might actually be doing more harm than good.

Enter LeakedSource, a giant repository online that can potentially make hacking easier. Your email address and the associated Internet accounts -- including the passwords -- is probably in it.

In fact, the giant repository is made up of stolen databases taken from LinkedIn, Myspace, Dropbox, and thousands of other sites. It bills itself as a data breach monitoring site and for months now, it's been collecting details on hacks, both old and new, and alerting the media about them.

But the repository also features something that might be illegal: a search function that can look up all the stolen information. It’s also why LeakedSource is probably becoming a tool for novice hackers.

A hacking resource

For US$2 a day, a subscriber at LeakedSource can enter an email address or username and find details on what internet accounts it was used to registered with. Not only that, LeakedSource will crack the associated passwords when it can.

The search function has made it popular on, what one Reddit user described as a breeding ground for script kiddies. A number of threads at the forum mention how LeakedSource can be used for hacking.

One user, for instance, is offering an ebook for $8 on that very topic. Others are offering advice on how to use LeakedSource as a way to hack a social media account or to dox someone and dump the person’s files online.

“Ever wanted to be an elite hacker and show off?” wrote one user. “Here’s a small tutorial on how to break into a Youtuber’s account using a database looking up tool called: LeakedSource.”

On Monday, LeakedSource declined to answer questions about the legality of the site. The operators behind the service remain anonymous, but they say they don't condone any hacking.

However, as far back as October 2015, LeakedSource appears to have begun promoting itself on When asked about this over email, LeakedSource didn't directly respond.

Instead, the site's operators claim that all the information they store and index is already available on the internet.

"Before people start pointing fingers at us, anyone is free to download well over a billion records from the clear web," LeakedSource said in an email that included links to stolen databases taken from Myspace and LinkedIn.

Legal concerns

The site has also said it's not responsible for any data breaches. It merely collects the stolen databases, often by searching through the Dark Web, or by receiving them from anonymous hackers, LeakedSource has said.

"Many of (the hackers) like what we do, some want to draw publicity to themselves and others don't want their 'enemies' to be able to profit off selling data," it said in an earlier email. 

But even as it may not have been involved in any hacking, legal experts say the site's activities can still be seen as a crime.

Posting stolen passwords on the site can be considered a form of wiretapping, said Susan Freiwald, a law professor at the University of San Francisco. The Electronic Communications Privacy Act prohibits the dissemination of any device that can be used for "surreptitious interception."

She questioned why a site -- that claims to protect users' data -- offers a search function that can crack stolen passwords or look up someone else's information.

"If the whole goal of the site is to warn me, it should never give out my password," she said. "I think this is very suspicious. It doesn't make sense."

The site is essentially making money off of people's stolen data -- and potentially giving hackers a useful way to target victims with what services and user screen names they use, added Christopher Dore, a lawyer with the Edelson law firm.

"They are taking this too far, and monetizing this in a way that's dangerous for consumers," he said. Government regulators, including the Federal Trade Commission, might take notice and want to intervene, he added.

Ongoing risks

Internet users don't necessarily need to panic. Many of the databases stored on LeakedSource are years old and might pertain to internet accounts they no longer in use.

For example, the LinkedIn database on file comes from 2012, and the company has already reset the stolen passwords affected. In other cases, the databases on file only contain hashed passwords that are almost impossible to crack. 

But even so, that doesn't mean the stolen data is useless. The biggest danger is that less tech-savvy users are re-using the same passwords across multiple internet accounts and forgetting to change them. 

Internet users concerned with their privacy appear to be alarmed. After LeakedSource became widely publicized in the media, it was overwhelmed with user requests, wanting their information to be taken down from the site. 

"Our Contact form volume has increased by a multiple of 100 from removal requests and we are unable to read other potentially important messages," LeakedSource said at the time. 

Users can still remove themselves from the LeakedSource site by visiting the site's removal page.

When warning the public about data breaches, there's a danger of posting too much information, said Troy Hunt, an Australian software architect who runs a breach monitoring service called His site routinely collects new databases as well.

Unlike LeakedSource, however, his site doesn't offer any paid search to look up passwords, and for good reason. "As much as there’s potential to improve the state of online security, there’s also the risk of making it worse," he said in an email.

His own site continues to evolve, to prevent Haveibeenpwned from revealing sensitive details on users. 

Join the CSO newsletter!

Error: Please check your email address.

More about DropboxFederal Trade Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place