For a few months now, my toy leakedin.com is back online. When I brought the website up again, a question immediately popped up in my mind: “How to protect myself against angry users or organizations not happy to see potentially sensitive data disclosed?“. The website compiles interesting data like credit card numbers, configurations, login/password lists, etc. After all, the data grabbed from pastie websites are already publicly available, I’m just compiling my findings in a central place. Just to prove my good faith,Â I decided to add an abuse page where people could find some help to ask for a removal of their data. Was this helpful? I think it’s time for a small review of the abuse reports received!
The blog was announced and started to collect data on March 16th 2012. The first request came into the abuse mailbox on March 23rd! Up to now, 14 requests have been received. For which type of data?
- Leaked emails / SMTP headers (1 time)
- Social Security Numbers (1 time)
- Defamation via a website (1 time)
- Personal information (1 time)
- Configuration files (2 times)
- Credit Card Information (3 times)
- Email / Password dump (4 times)
- Database dump (1 time)
What about people vs organizations?
- Individuals (11 times)
- Organizations (3 times)
Amongst the three organizations, one of them was a big European bank which detected several references to its brand or to customers. Good catch! Of course, all the requests to delete the offensive content was processed as soon as possible.
What can we conclude? leakedin.com is heavily indexed by most search engines. The Google crawler visits the pages at regular intervals. Even if the website is not well-known (approximately 500 visits per day), it’s easy to find references to my site via Google. Based on the very-low amount of abuse requests I received, I can conclude that organizations don’t take care much of their brand or information published about them. Note that the same applies to individuals. Who’s monitoring his domain names, logins, IP addresses? I do!