Weleakinfo.com Domain Name Seized: Site Had Sold Access to Hacked PII and Logins
justice.govAt what point do security dumps become 'public' and legal to disseminate?
Is there a framework for determining what is legal to provide to Brian Krebs or Haveibeenpwned.com?
Would it have been illegal of Brian Krebs to pay money to weleakinfo.com for a database that also existed elsewhere?
Basically is it illegal to buy, sell, give away for free to masses, give away for free to vetted individuals/researchers, or illegal to hold privately once you received it?
Would love if anyone could point me towards the path of enlightenment here. US/EU, and other laws all seem relevant.
I asked a lawyer friend this question once before starting on a personal project. The answer I got in return took about 30 minutes and was filled with a lot of "ifs" and "buts" and references to at-that-time undecided cases.
That lawyer must be a very good friend indeed. It sounds like a lot of research to yield that kind of answer.
>US/EU, and other laws all seem relevant.
What does this mean? In the US there is no law for this.
In the EU we have the GDPR which says you never get to own or control someone else's personal information without their permission.
Just because the info is leaked, that doesn't make it public domain. The data still belongs to the user, and the people that hold it should only ever be doing so with permission.
>>US/EU, and other laws all seem relevant. >What does this mean?
For context, the US has arrested people who have never set foot in the US and held no assets in the US ... for breaking US law. So when it comes to "the internet" nowadays I assume I have to comply with all major countries' law, not just my own (USA). Or at least it could be helpful to know other countries laws (EU) as they compare to my own (USA).
> In the US there is no law for this.
If the FBI seized the website, I would be led to assume there's probably at least one law covering it.
> The data still belongs to the user
If I'm one of the affected users, can I see what of my data was leaked? Wouldn't I have to download the leaked data to do that? Would that be legal to download? Would it be legal for someone else to provide my own leaked data to me?
> the people that hold it should only ever be doing so with permission.
This would make http://haveibeenpwned.com/ and Google Chrome's password checker illegal -- and probably 90% of security researchers would be outlaws. That seems like an untenable policy position.
>For context, the US has arrested people who have never set foot in the US and held no assets in the US ... for breaking US law.
What are you talking about?
I wonder if this is ever a positive thing. Like if a company sold 0.01% of the leaked credentials to prove the hack was real/scare the general public. And then shredded the other 99.99% of credentials.
I feel like the nuance would almost always be lost though
Considering the Equifax breach, which consisted of leaking all the information on everyone, and didn't seem to phase the public hardly at all, I don't think that would be an effective tactic.
Recent and related: https://news.ycombinator.com/item?id=22065780
I love the cool images they seem to always put together when they do this.
You mean this? https://www.justice.gov/sites/default/files/styles/width_12/...
Yeah, that's pretty Matrix-like.
yeah, whoever does those still has hacker aesthetics from the 90's.
