The Royal Canadian Mounted Police has announced it has cuffed and charged a man for selling stolen identities and passwords at LeakedSource.com.
The site listed more than three billion records – some including passwords - that had been stolen in various data breaches and let users buy that data. It also offered advice on new data breaches. Controversially, the site sold the data without first attempting to verify whether purchasers had a right to the records, all while masking the identity of its operators.
That practice earned the site rolling battles with the law that the Mounties (RCMP) revealed culminated in the December 22, 2017, arrest of a chap named Jordan Evan Bloom of Thornhill, Ontario.
Bloom appeared before Canadian courts on Monday, January 15, charged with crimes including “Mischief to Data” for “selling stolen personal identities online through the website Leakedsource.com”. Bloom’s alleged efforts are claimed to have earned C$247,000 (US$198,500, £144,000).
The Dutch national police and the United States Federal Bureau of Investigation helped the Mounties (RCMP) to make the bust, with the Canadians saying the case could not have been cracked without international collaboration.
LeakedSource.com is now offline. Similar sites like breachalarm.com and haveibeenpwned.com do not charge for access to data. The first-mentioned site does offer a paid alert service that informs customers when their email addresses appear in troves of stolen data.
Haveibeenpwned's Troy Hunt commented: "I’m really glad to see this, we need precedents in this industry of prosecutions due to malicious use of breached data. LeakedSource provided financial incentives for hackers to obtain data, removed cryptographic protections on the data (cracked passwords) and sold huge troves of extensive personal information, including my own." ®