Cybercrime Forum Leak Exposes User IP Addresses

Security Breach Exposes Leak Zone User IP Addresses

A forum known for the sharing of compromised databases, stolen login credentials, and illicit software was inadvertently revealing the IP addresses of its users to the public internet, as discovered by security researchers.

Leak Zone left an Elasticsearch database accessible online without password protection, according to a report from UpGuard. The researchers detailed their findings in a blog post shared with TechCrunch prior to publication, stating the database was identified on July 18th and its contents were openly available via any standard web browser.

Database Details and Scope

The exposed database contained over 22 million records, each documenting a user’s IP address and the precise time of their login to Leak Zone. Data within the database was current as recently as June 25th, and was being updated continuously.

Although the records did not directly identify individual users by name, the information could be leveraged to pinpoint users who accessed Leak Zone without employing any form of anonymization. Some records, reviewed by TechCrunch, indicated whether a user had potentially logged in through a proxy service, like a VPN, which obscures their actual location.

About Leak Zone

Leak Zone, which rose to prominence in 2020, promotes access to a “vast collection of leaks” encompassing breached databases and compromised accounts. The forum also operates a marketplace that explicitly advertises “illegal services,” as outlined in its user guide.

The forum claims to have a user base exceeding 109,000 individuals, according to a statement on its website.

AccountBot Data Also Exposed

UpGuard’s analysis revealed that 95% of the records within the exposed database were linked to Leak Zone user logins. The remaining data pertained to accounts associated with AccountBot, another platform specializing in the sale of compromised account access for streaming services.

Verification of the Exposure

TechCrunch independently confirmed the database was actively logging user logins by creating a new account and accessing the site. A corresponding record, containing TechCrunch’s IP address and the exact login timestamp, immediately appeared within the exposed database.

Cause of the Exposure

The reason for the database’s public exposure remains unknown. Data exposures are frequently the result of human error or misconfigurations, rather than deliberate malicious intent.

Lack of Response from Leak Zone

Attempts to contact the Leak Zone administrators for comment were unsuccessful, as the forum’s software prevented the sending of messages. It is currently unclear whether the administrators are aware of the exposure or intend to inform their users about the security vulnerability.

UpGuard has informed TechCrunch that the database is no longer accessible online.

Increased Law Enforcement Action

In recent years, both U.S. and international law enforcement agencies have been intensifying their efforts to target cybercrime forums and websites that facilitate hacking, identity theft, and other illegal activities.

This week, Europol announced the arrest of the alleged administrator of XSS.is, a long-standing Russian-language cybercrime forum, and the subsequent seizure of the forum as part of a coordinated takedown operation.