Last week a breach notification site named LeakedSource was allegedly shut down by US law enforcement and much of their equipment confiscated. While the Department of Justice is refusing to comment or confirm, the social media accounts of the operators have been suspended and the site itself is offline. At the current time, the reasons why they may have been targeted by law enforcement are unknown, although it’s possible to hazard some guesses as to why.
LeakedSource frequently had the data from the very latest breaches, despite the fact that many of those breaches were simply not publicly available yet and in some cases had happened mere days prior to them obtaining it. This led to speculation in security circles that LeakedSource was buying data or had an inappropriately close relationship with the perpetrators. To further complicate the issue, LeakedSource seemed like they were a tool more tailored for black hat types than they were for companies and security researchers: anyone willing to pay the subscription fee could view credentials (often including cleartext passwords) for practically any account in their database. Indeed it doesn’t take much searching in hacking forums to find that this was a much loved tool for many in that community. This raised plenty of red flags in the security world. The fact that LeakedSource’s operators, organization, and infrastructure were anonymous and shrouded in mystery didn’t provide much reassurance for companies tempted to use them to help secure their users.
At Enzoic, we take a different approach – one that ensures our service cannot be used for nefarious purposes. First, we don’t return raw passwords or credential data. Period. We never return email addresses. We never return passwords. The only thing our service will tell you is whether a submitted password or set of credentials has been publicly exposed. Additionally, we never buy data. Ethically we believe it would be wrong to subsidize the very problem we are purporting to solve. Thus, all of our data is harvested from the public Internet. Enzoic is purpose built for companies to protect their users and employees from credential exposures – not to aid cyber criminals. We are experienced security industry professionals and stake our reputations on the security and trustworthiness of our business.
To see more about our security policies and processes to protect users, visit the Enzoic FAQ site.