Indexeus, a search engine that uses a database of “over 200 million entries” derived from more than 100 recent data breaches, has the potential to reveal personal details of a number of cybercriminals.
The brainchild of Lisbon native Jason Relinquo (23), many of the breaches it indexes are from hacking forums, exposing details of those responsible for a breach in the process.
The site was created “as a tool to see if your info has been compromised, but also as a way of doxing people easier”. Doxing means to untangle the real life identity of someone with a number of web personas, a practice common in cybercriminal forums.
In a move described by Rik Ferguson, global vice-president of security research at Trend Micro, as "basically monetising stolen property", Mr Relinquo initially used the platform to make a profit, asking for a "donation" of $1 to delete, or "blacklist", a record from the database.
While some malicious web users were paying up to avoid fellow hackers pinpointing them for their breaches, Mr Reinquo has since confirmed that blacklisting of certain records is now free as it falls under the EU’s “right to be forgotten” legislation.
"The thing that surprises me about this is that it hasn't happened sooner," Mr Ferguson told The Irish Times. Much of the information harvested by data breaches is eventually "dumped rather than sold" in secretive online forums, he added.
Mr Relinquo reportedly told security blogger Brian Krebs that he wants Indexeus to "grow and be a reference, and at some point by a tool useful enough to be used by law enforcement".
As for regular web users, Mr Ferguson said that having “lost count of the number of major data breaches” in the past three years, personal data such as dates of birth, email and physical addresses as well as phone numbers are difficult to “claw back” once exposed.
“If data is breached and stolen you must consider it stolen and out there for good,” said Mr Ferguson.” We don’t live in an age where you can meet someone in a car park and pay for some negatives to sweep something up.
“In fact, people may be beginning to care less and less about whether their information is out there if it’s already been stolen three times as part of these breaches,”he said.