A self-styled “leaking and cracking forum” where users advertise and share breached databases, stolen credentials, and pirated software was leaking the IP addresses of its logged-in users to the open web, security researchers have found.
Leak Zone left an Elasticsearch database exposed to the internet without a password, according to researchers at UpGuard. In a blog post shared with TechCrunch ahead of its publication, the researchers said they discovered the database on July 18 and found its data was accessible to anyone with a web browser.
The exposed database contained more than 22 million records storing the IP address and precise timestamp of when Leak Zone users logged in. The records were dated as recently as June 25, and the database was updating in real-time.
While the records were not linked to individual users, the data could be used to identify users who logged into Leak Zone without using any anonymization tools. Some of the records, seen by TechCrunch, indicate whether a user is believed to have logged in through a proxy, such as a VPN, which can help conceal the user’s real-world location.
Leak Zone, which gained popularity in 2020, advertises access to a “vast collection of leaks ranging from breached databases to cracked accounts,” referring to stolen credentials used for logging into a person’s online accounts. The forum also offers a marketplace that explicitly promotes “illegal services,” the site’s guide reads. A page on Leak Zone’s website claims the forum has more than 109,000 users.
According to UpGuard, 95% of the records in the exposed database relate to Leak Zone user logins. The remaining data reference accounts associated with AccountBot, another site for selling access to compromised accounts used for streaming services.
TechCrunch verified that the exposed database was recording users logging into Leak Zone by creating a new account and logging in to the site. A corresponding record immediately appeared in the exposed database containing our IP address and the timestamp of the exact moment we logged in.
It’s not known why the database was publicly exposed. Human error or misconfigurations are often a cause of data exposures, rather than malicious actions.
TechCrunch was unable to contact the Leak Zone administrators for comment as the forum software denied our ability to send them messages. It’s not clear if the Leak Zone administrators are aware of the exposure or if they plan to notify their users about the security lapse.
The database is no longer online, UpGuard told TechCrunch.
In recent years, U.S. and international authorities have increasingly targeted cybercrime forums and websites for their roles in facilitating hacking, identity theft, and other criminal activity. This week, Europol announced it had arrested the alleged administrator behind XSS.is, a long-running Russian-language cybercrime forum, which the authorities also seized as part of a takedown operation.
