Police Are Buying Access to Hacked Website Data

The sale is “an end-run around the usual legal processes.”
July 8, 2020, 1:29pm
Hacked data
Image: Cathryn Virginia

Hackers break into websites, steal information, and then publish that data all the time, with other hackers or scammers then using it for their own ends. But breached data now has another customer: law enforcement.

Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more.

Motherboard obtained webinar slides by a company called SpyCloud presented to prospective customers. In that webinar, the company claimed to "empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice." The slides were shared by a source who was concerned about law enforcement agencies buying access to hacked data. SpyCloud confirmed the slides were authentic to Motherboard.

"We're turning the criminals' data against them, or at least we're empowering law enforcement to do that," Dave Endler, co-founder and chief product officer of SpyCloud, told Motherboard in a phone call.

Do you know about any other technological products law enforcement agencies are buying? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The sale highlights a somewhat novel use of breached data, and signals how data ordinarily associated with the commercial sector can be repurposed by law enforcement too. But it also raises questions about whether law enforcement agencies should be leveraging information originally stolen by hackers. By buying products from SpyCloud, law enforcement would also be obtaining access to hacked data on people who are not associated with any crimes—the vast majority of people affected by data breaches are not criminals—and would not need to follow the usual mechanisms of sending a legal request to a company to obtain user data.

Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told Motherboard in an email, "it's disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process."

"Normally, if the police want to find out, say, what IP address is associated with a particular online account, they do have to serve legal process on the service provider. This is an end-run around the usual legal processes. We impose those requirements on law enforcement for good reason," she added.

"While tracking down criminals sounds like a silver lining about data breaches, it's unsettling that law enforcement agencies are paying taxpayer dollars to capitalize on breaches that, after all, already victimized the people whose data is in those datasets," she said.

SpyCloud's main business is providing various tools to individuals or organizations trying to stop account takeovers. On its website, anyone can sign up with their email address, verify they control it, and then see what data breaches their information is included in. In some ways it's a commercial version of security researcher Troy Hunt's own data breach service 'Have I Been Pwned?.' SpyCloud differs in that its data can be bundled with investigative software such as Maltego to more easily draw connections between different bits of information.

1594211866038-key-use-cases

A SpyCloud description of its product's use cases. Image: SpyCloud

SpyCloud also offers that sort of data access to law enforcement, allowing agencies to look up the exposed information of other people.

In another webinar slide, SpyCloud says the data can be used to "unmask specific criminals and their personas," including "criminal locating."

"The data that we're providing to law enforcement, tends to be data that's already in the hands of criminals, and in our mindset it tends to be already public," Endler said.

That may be the case for some particularly widely traded breaches, but others are not as simple to obtain. Data trading forums often ask users to pay for datasets or to gain access to the forum, or only open the doors for those who other users can vouch for.

With that in mind, Endler said that SpyCloud has a human intelligence team, whose work involves "developing relationships with sock puppets, alternate personas" to obtain data. Endler said SpyCloud also cracks passwords; datasets often only contain a hash, or a cryptographic fingerprint of a user's password. Once cracked, an investigator can see what a user's real password was; perhaps a useful clue in linking together accounts that share a password.

1594211907766-documentation

Some of the data available via SpyCloud. Image: SpyCloud

Endler said that the company's law enforcement customers include a handful of federal agencies. In a 2018 press release announcing charges related to DDoS-for-hire websites, the Department of Justice thanked SpyCloud for its assistance. The FBI acknowledged a request for comment but did not provide a response in time for publication.

Kevin Metcalf, a prosecuting attorney and head of the National Child Protection Task Force, a group made up of law enforcement and technology professionals focused on fighting human trafficking, told Motherboard in an email that breach data "is not commonly used or understood and there is a not a lot of time spent on it yet."

But he added, "we make use of breach data and anything else that we can use to identify active predators that are trying to hide from law enforcement while they prey on the most vulnerable members of our society."

"This is an end-run around the usual legal processes."

"Most of the time it provides a lead that connects some data points that we didn't have before. Our online lives leave traces and all we have to do is to find some connection that ties a predatory account to an actual person. For this to be included in legal process, it would need to be part of a larger picture, most of the time it isn't enough by itself," he said, adding that this may include "any and all breach data."

As well as human trafficking, Endler from SpyCloud added that departments focused on financial crime and computer hacking may use the data.

Multiple companies that started selling their data products to the commercial sector have since catered to law enforcement. Federal agencies including Immigration and Customs Enforcement have purchased location data harvested from smartphone apps that usually is collected or bought by ad firms.

Pfefferkorn said, "Using these pools of breached data in this way is ethically dubious but so obviously attractive—for malign purposes as well as good."

Subscribe to our cybersecurity podcast, CYBER.