Cyber Incident Victim: WeLeakData
Date:
Jan 2020
Location:
United States of America
Summary
WeLeakData.com, a hacker forum and marketplace for trading breached databases and credential-stuffing tools, abruptly shut down amid rumors of operator arrests and database theft. Its stolen vBulletin forum database, later confirmed authentic by researchers, exposed hackers' private messages, login credentials, hashed passwords, email addresses, and IP addresses. The compromised data was sold on dark web marketplaces and replicated on a new site called Leaksmarket.com, while also being integrated into a breach notification service for victim verification. The leaked communications posed risks to the involved threat actors by potentially aiding law enforcement investigations and threat intelligence efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
WeLeakData.com operated as a hacker forum and marketplace focused on trading databases stolen in data breaches and combolists used for credential stuffing attacks. The site mysteriously shut down in late April 2020, with rumors suggesting its operator had been arrested and the forum database stolen or sold. On May 11, 2020, cybersecurity firm Cyble reported that a dump of WeLeakData.com's vBulletin forum database from January 9, 2020, was being sold on dark web marketplaces. The stolen database contained login credentials, email addresses, hashed passwords, IP addresses, and private messages exchanged between forum users. Cyble confirmed the authenticity of the leaked data through analysis, noting it exposed detailed communications among threat actors who had used the platform for illicit activities.
The exposure of private messages posed significant risks to the hackers involved, as these logs could assist law enforcement investigations into their activities and inform threat intelligence research. The stolen database was also leveraged to create Leaksmarket.com, a new site hosting identical content to the original WeLeakData forum. Cyble incorporated the leaked data into its AmIBreached.com breach notification service to help users verify if their information was compromised. The incident highlighted operational security failures within criminal communities, as the platform's own infrastructure became a source of intelligence for defenders and authorities. No remediation efforts by WeLeakData.com's operators were documented, as the site remained offline following its abrupt April 2020 disappearance.