Best place to find DB leaks?

I want to check breaches against users in my system. I’ve scavenged a few torrents here and there but never found any site that would be a reliable source. Also I’m particularly interested in the db8151dd breach now and I haven’t found that one yet so any help with that would be very much appreciated.

6 Likes

If you want to check company accounts, Have I Been Pwned offers a domain-wide search. It also offers password hashes (unattached to accounts) that you can compare with your users’ current NTLM/SHA-1 pw hashes.

There are no “reliable” sites because the sites that offer this are grey markets at best, illegal black markets at worst. They don’t tend to stick around long.

1 Like

If you’re just checking users, and you have permission to do so…. Just use dehashed.

Use breached.co or search for Arvin on telegram

dehashed.com

If your company has budget for it your best bet is to subscribe to a commercial threat intelligence service that keep tabs on that for you.

The domain search helped a lot, thanks!

There are no “reliable” sites because the sites that offer this are grey markets at best, illegal black markets at worst. They don’t tend to stick around long.

I don’t understand… I’ve found several DBs just yesterday (more than 20GB) and I’m not really that skilled in all this stuff. It’s not that difficult so wouldn’t it be safer to have a reliable source for testing? More people could be aware of this cybersecurity issues etc. instead of just people who dive into it. A determined attacker would find the DB anyway imo

No matter your intentions, it’s a fact that many leaks (including parts of what you just found) are products of crime - this already puts the venture into a legally (and ethically) grey area, one that is too much of a risk for most companies. Depending on jurisdiction, it may be OK to own this data if you’re not using it for illegal purposes, but if you create a site for others to access the data, you’re going to need to pay for hosting, which invites fundraising, which often boils down to “you selling stolen data to others”, which is much more legally risky than just owning the data. And some sites, like the recently raided (no pun intended) Raid Forums went even further to facilitate sales of data directly from hackers, profiting from that as well (very illegal).

Realistically, you don’t need people’s actual username-password pairs to successfully secure your users’ accounts as a defender. You’re better off implementing policies such as

  1. Promoting good password hygiene (password managers) so that your users don’t need to create passwords they must remember
  2. Preventing users from setting passwords that are commonly used by others (e.g. PwnedPasswords from HIBP), regardless of whether your user appeared in a breach or not. You don’t need breach data for this, just derived password hashes to ensure your users are creating unique passwords.

If your coworker leaves their wallet on their desk while they go the bathroom, you can’t take money out of it just because “a determined attacker would easily be able to take the wallet anyway…”