A self-styled “leaks and cracking forum” where users promote and share compromised databases, stolen credentials, and pirated software, leaked the IP address of logged in users to the open web.
According to researchers at Upguard, the leak zone left an ElasticSearch database exposed to the internet without a password. In a blog post shared with TechCrunch ahead of the publication, researchers discovered the database on July 18th, and found that the data could be accessed by anyone with a web browser.
The exposed database contained over 22 million records that stored the IP address and the exact timestamp of leak zone users when they logged in. The records were dated June 25th, and the database was updated in real time.
Although records are not linked to individual users, data can be used to identify users logged in to the leak zone without using an anonymization tool. Some of the records seen in TechCrunch indicate whether the user is thought to be logged in via a proxy such as a VPN. This helps to hide the user's real location.
Leak Zone, popular in 2020, promotes access to “a huge collection of leaks ranging from compromised databases to crack accounts” that reference stolen credentials used to log in to individuals' online accounts. The forum also offers markets that explicitly promote “illegal services,” reads the site's guide. The Leak Zone website page claims that the forum has over 109,000 users.
According to UpGuard, 95% of records in the exposed database are related to leak zone user logins. Another site that sells access to the remaining data reference accounts associated with AccountBot, compromised accounts used by streaming services.
TechCrunch confirmed that the published database records that users are logged in to the leak zone by creating a new account and logging in to the site. I was immediately shown a record corresponding to my public database containing my IP address and the timestamp of the exact moment I logged in.
I don't know why the database was published. Human errors or misconceptions are often the cause of data exposure rather than malicious actions.
TechCrunch could not contact the leak zone administrator for comment as the forum software refused its ability to send messages. It is not clear whether the leak zone administrator is aware of the exposure or will notify users about security revocation.
The database is no longer online, Upgard told TechCrunch.
In recent years, US and international authorities have increasingly targeted cybercrime forums and websites for their role in promoting hacking, identity theft and other criminal activities. This week, Europol announced it had arrested the suspected administrator behind XSS.IS, a long-term Russian cybercrime forum.