The FBI has seized the domain of WeLeakInfo.com, a website that claimed to have more than 12 billion user records on sale that had been exposed in data breaches.
For as little as $2 per day, hackers could search the name, email or username of a person and be presented with any data that had been leaked about them.
In some cases, this included cleartext passwords, which cybercriminals could use in the hope that their target had reused the same password across multiple accounts, known as credential stuffing.
While the site purported to be a genuine tool for security researchers, law enforcement deemed it illegitimate.
A multinational effort saw WeLeakInfo taken down by the FBI, NCA, Politie, Department of Justice, Police Service of Northern Ireland and Bundeskriminalamt.
WeLeakInfo one of many sites selling passwords
The domain was seized by the authorities on 15 January, with visitors to the site now met with a notice stating:
How well do you really know your competitors?
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
“The domain for WeLeakInfo has been seized by the Federal Bureau of Investigation pursuant to a seizure warrant issued by the United States District Court for the District of Colombia.”
On Wednesday police in the Netherlands and Northern Island arrested two 22-year-old men believed to be connected to WeLeakInfo.
The site, which aggregated data from more than 10,000 breaches, is not the only one to offer such a service.
“This site is one of many offering a similar service on the dark web so even with this site out of action, this is by no means the last of it,” said Jake Moore, cybersecurity specialist at ESET.
Robert Ramsden-Board, VP EMEA at Securonix, said:
“The internet is far-reaching; therefore, cybercrime and its impact on businesses and individuals is rarely contained within one nation. So, collaboration between the US, UK and other nations’ law enforcement organisations is a critical step towards effectively tackling cybercrime.”
Moore recommended that users do not use predictable or simple passwords across multiple accounts:
“My advice is to use a password manager to store your uniquely different passwords robustly online so you don’t have to remember them all. Implementing 2FA will also help reduce this risk even if your password is compromised.”