An actor claimed to have registered one of the domains of WeLeakInfo, accessed details of 10000+ WeLeakInfo’ s customers, and leaked it.
WeLeakInfo.com was a data breach notification service that was allowing its customers to verify if their credentials been compromised in data breaches. The service was claiming a database of over 12 billion records from over 10,000 data breaches. In early 2020, a joint operation conducted by the FBI in coordination with the UK NCA, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland resulted in the seizure of the WeLeakInfo.com domain.
After the seizure of the service in January, two men, one in the Netherlands and another in Northern Ireland, were arrested.
On January 2021, NCA arrested 21 people in the UK as part of an operation targeting customers of WeLeakInfo service that advertised stolen personal credentials.
Data breach notification services is a profitable business, visitors pay a fee to access data exposed in past data breaches. A subscription fee ranges from a $2 trial to a $70 three-month unlimited access account and allows users to search for any data in the archive managed by the companies.
This is quite different from services that only alert individuals when their data are exposed in a data breach and that for this reason are considered legal.
Data breach notification services like WeLeakInfo are a mine for threat actors that could gather information on their targets before launching a cyber attack.
Security experts from Cyble noticed that an member of a hacking forum claimed to have registered one of the domains of WeLeakInfo, wli.design, which was registered again on March 11 2021.
Then the actor created an email address for the domain and used it to access the account of the cybercrime group registered on the payment service Stripe. The access to the Stripe account allowed the actor to access customers’ details, including email, address, partial card details, and purchase history.
“The WeLeakInfo operators allegedly used the domain’s email address for payments via Stripe, the actor claimed. The actor claimed to have registered the domain and then created an email address on the registered domain used in their Stripe account gaining access to WeLeakInfo customers’ details.” reads the post published by Cyble.
“Upon access to WeLeakInfo’s Stripe account, the actor allegedly gained access to their customers’ details (including email, address, partial card details, purchase history and others).”
One of the files leaked by the actor, named “top_customers.csv,” includes a total of 100 personal and “maybe professional” email addresses, while another file includes buyers’ addresses and partial details of their credit cards.
(SecurityAffairs – hacking, weleakinfo)