WeLeakInfo Leaked Customer Payment Info

[sdfhbdf]

“Long story short: FBI let one of weleakinfo’s domains expire that they used for the emails/payments,” pompompurin wrote. “I registered that domain, & was able to [password] reset the stripe.com account & get all the Data. [It’s] only from people that used stripe.com to checkout. If you used paypal or [bitcoin] ur all good.”

That’s the gist of the whole story.

No credit card numbers were leaked, i wouldn’t count the partial numbers... it’s probably last 4 digits.

[bombcar]

Credit card numbers aren’t the exciting part - it’s growing the network information about users of the service. It’s the same reason Facebook et al don’t really care that much about the content of your private messages but rather about the metadata of whom you’re communicating with.

[wongarsu]

> a copy of the data leaked by pompompurin, and said it includes partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid

I can certainly appreciate the irony of the FBI negligently enabling a major data leak of data leak buyers.

[FDSGSG]

There's absolutely no evidence to support this guys claim that the FBI was ever in possession of this domain.

[dlgeek]

There's a lot more here than the irony of just the headline would suggest - I suspect Krebs assumed context for his readers when writing it.

The real kicker here was that the FBI had seized a website (domain)... then let the domain lapse which let someone else hijack it and get all of the data from a 3rd party (Stripe).

[bombcar]

I’m surprised (but kinda not surprised) that seizing a domain setup like this doesn’t involve the FBI shutting down payment processors and collecting the third party data and forcing it to be removed from the service.

[FDSGSG]

I don't believe that this domain was ever seized by the FBI.

It never displayed a seizure page, and the actual weleakinfo domain has the "serverDeleteProhibited" flag set.

[dheera]

Ugh. After they sneezed it I now have no way to check if I was leaked ...

[thatguy0900]

Even if it was a honeypot, could they criminally charge you for buying your own data?

[caseysoftware]

Why did Stripe allow a website selling stolen data to operate for years?

Is their oversight/review that poor?

Were they working with law enforcement all along?

How does this fit with their ongoing efforts to deplatform unacceptable views?

[bombcar]

I’m more interested in the fact that Stripe can have a customer entirely seized by the FBI and yet still just keep all the account info there ready to be accessed.

[megous]

They don't have any requirements on sellers that I was able to find.

I was looking through their docs, to see if I could report some other fraudster to them for some obvious violations, but I think they don't care about payers at all. I couldn't even find an email contact, and I would have to register an account to talk to them, probably. They don't even send an independent payment verification to the payer.

Very shady, compared to other payment processors I used. All of them at least send independent payment verifications with contact info and merchant details, in case something goes wrong.

[JshWright]

Huh? They have a whole page dedicated to restricted businesses.

https://stripe.com/restricted-businesses

(This is in addition to the more generic "Don't do illegal things" language in their service agreement)

[megous]

I mean requirements like "you have to provide receipts / payment confirmation to your customers", etc. Anyway, I found the contact.

[dmingod666]

It does what it says in the tin. How big of a disclaimer did their users need?

[wongarsu]

Ironically WeLeakInfo did a good job protecting customer info, it was the FBI whose poor security enabled this leak