Ever wonder what happens to your information once it is exposed in a data breach? In most cases, the data is put up for sale to cybercriminals operating in the dark web — the black market of the internet where individuals can act privately and anonymously, and which requires specific “dark web browsers” to access. But one website was designed to house stolen data on the surface, bringing it out of the dark web and putting it at the fingertips of anyone who performed a simple search — starting as low as $2!
On January 16, 2020, the U.S. Department of Justice (DOJ) announced the FBI had seized weleakinfo.com, a website that allegedly gave low-skilled hackers with a standard internet browser access to a search engine containing 12 billion records collected from 10,000 data breaches. The Personally Identifiable Information (PII) within the database included names, email addresses, usernames, phone numbers, and passwords for millions of online accounts belonging to data breach victims.
Recommended For You Webcast, March 5th: How AI Can Find Opportunities and Shorten Your Sales Cycles
How WeLeakInfo.com Worked
Modeled as a subscription service starting at $2 per day, interested parties around the world could perform unlimited searches for stolen and exposed user data within the WeLeakInfo.com database. The subscription periods ranged between one day and three months — all for a low price — making it highly accessible to hackers of any skill set looking to make a quick purchase without going through the layers of the dark web.
The Dangers of Sites Like WeLeakInfo.com
With access to individuals’ personal information, hackers will deploy malware through phishing scams, targeting those with exposed emails. Since many people tend to use the same passwords for multiple accounts, scammers will use credential stuffing attacks to access other accounts belonging to the same individuals. In November of 2019, Disney+ exposed passwords were used to log into the newly launched site, causing users to be locked out of their accounts.
Law enforcement in the U.S., UK, the Netherlands, Germany, and Northern Ireland have been working together, confirming individuals involved in running the illegal website have been arrested outside of the U.S. Shutting down this type of criminal activity is a major step in reducing cybercrime, but it is uncertain how many other sites like WeLeakInfo.com exist. It’s also unnerving to know that stolen data can be so easily obtained through such “surface web” platforms by even the least tech-savvy hackers.
Tips to Protect Your Personal Information
- Audit Your Login Credentials. Be sure you aren’t using the same password for multiple accounts and change your passwords for all accounts regularly — even monthly. Consider using a password manager tool to keep your login credentials in one secure location.
- Enable Two-Factor Authentication. Two-Factor Authentication (2FA) helps protect your online accounts from unauthorized access. With 2FA, you use something you know (your username and password) and something you have (a one-time code sent to your phone) to verify your identity and log in to your account.
- Never provide login, personal or financial information on unsecured sites. Look for “https://” at the beginning of the web address and the lock icon next to it to ensure you’re visiting a secured site.
- Monitor Social Media Accounts. Imposter accounts and account takeovers through social media can lead to fraudsters scraping personal information, targeting you and your connections through social engineering, then buying and selling your personal information on the Dark Web.