Over the last week, several news agencies and security researchers have commented on the apparent FBI raid of LeakedSource. If you’re not familiar with the situation, this article from CSO covers it well. LeakedSource sold credentials (including passwords) to anyone that wanted to purchase them. This single aspect of their offering is enough to create much legal angst.
Intent and Responsible Behavior. Government officials and legal teams use intent to help determine honorable vs criminal. Usually, the more transparent a company is, the easier it is to determine intent. Apparently, LeakedSource’s intent, other than financial gain, was less than clear, leaving them exposed to legal scrutiny. Irresponsible handling of information (not treating the passwords as sensitive information) left them vulnerable to creative use of their deliverables by nefarious actors. Criminals, pranksters, and jealous lovers could purchase credentials from LeakedSource and use them in malicious ways – a huge business risk. Given these aspects, it’s not a total surprise that the site was supposedly raided.
Responsible Disclosure and Handling
SpyCloud follows a responsible disclosure and handling process. We will share the actual passwords for exposed credentials, but ONLY with the owner of the email, the authorized owners of a company domain, or a legitimate security service provider that will notify their users of exposed credentials.
Check out our FAQ page on the portal for details regarding our handling of sensitive information.