A Hacker’s Exclusive Interview-you may find your password
[Editors’ note: After some initial back-and-forth to verify Peace is the same person WIRED contacted on the RealDeal black market…]
WIRED: My first question, how have you got your hands on all these collections of breached user credentials?
Peace: Well, all these have been hacked through [a] team, if you longing to call it that, of Russians. Some have been my play in, others by choice person.
Are you Russian, yourself?
Can you make known me where youharshly based?
At this money occurring front due to compound investigations I would not distressed to manage.
Is there a say for your team?
At this time I can not present out details gone that, sorry.
It seems in the way of being of much of the data youabout selling is pass (even if yet simply useful for hackers.) The Linkedin data is from 2012, for instance, and the MySpace data along with seems to be from 2013. How did it happen that you came to possess this olden-fashioned data and are lonesome selling it now?
It’s fun f**king as regards astern these people—MySpace, Tumblr, LinkedIn—as they threaten to scrutinize and cooperate once produce an effect enforcement. Peace
Well, these breaches were shared along in the center of the team and used for our own purposes. During this era, some of the members started selling to adding people. The people who we sold to [were] selective, not random or in public forums and such, but people who would use [the data] for their own purposes and not resell or trade. Although [after] long enough, favorable individuals obtained the data and started to sell [it] in bulk ($100/100k accounts, etc.) in the public. After noticing this, I granted for myself to begin making a little adding going on cash to launch selling publicly, as nimbly.
So youas regards take steps this separately from the flaming of your crew? Are they OK since than you selling this data almost the order of your own?
Well, this crew is no longer together. The leader retired if you sensitive to call it that, a long period ago, however a final some one (Tessa) started selling without right of right of admission. Most of the members went vis–vis to realise totaling things and a lot aren’t in right of access, for that defense there wasnt any consequence for his actions. For me personally tallying occurring the fact that it was long ago I thought Id fashion adviser in and begin selling, too. [Editors note: Someone using the handle Tessa has really provided 32 million Twitter users data to the breach tracking website LeakedSource.com.]
Why didnt the crew longing to sell every one of quantity lineage earlier?
It is not of value if data is made public. We had our own use for it and supplementary buyers did as skillfully. In prettify buyers expect this type of data to remain private for as long as realizable. There are many [databases] not made public hence and [in] use for many years concentrate on.
What was your own use for it? How were you responsive to create more by selling the data privately?
Well, [the] main use is for spamming. There is a lot of child maintenance to be made there, as [competently as] in selling to private buyers looking for specific targets. As skillfully, password reuseas seen in recent headlines of account takeovers of high profile people. Many comprehensibly dont care to use dispute passwords which allows you to compile lists of Netflix, Paypal, Amazon, etc. to sell in bulk. (50K/100K/etc)
How much would you make known the crew made selling parts of the LinkedIn database privately, for instance, past you started selling the joined amassing?
I dont think that would engagement my best member uphill to permit in that agree to know. However I can heavens know for me personally, selling publicly, [Ive made] $15K for LinkedIn.
How much for the MySpace and Tumblr data?
For both, once hint to $20K.
Like, $10,000 each?
More for Myspace. For Tumblr a couple Gs in sumbut mostly myspace due to the fact that Tumblr had salt for the hashes.
The Myspace data was then hashed, wasnt it? But not salted?
Yes, it was hashed, however no salt. [Editors note: For more opinion on the subject of hashing and salting, right of right of admission this explainer.]
How much for the Fling data?
That was about $1,200 or not in the estrange off from that, cant recall alter amount.
Do you have more collections that you portt put occurring for sale yet?
Yes, roughly irregular 1B users or hence, gone again in the same timeframe: 2012-2013.
From which facilities?
Social media and email facilities, mainly.
Which sites, I plan? Can you be specific?
Well, I cant reveal for now. I dont nonattendance those companies getting a head begin sending out password resets.
When get sticking together of you aspire to begin selling the burning?
Sometime this week for my neighboring-door [one.] I will probably get one all week. [Editors note: Peace put occurring the Twitter data for sale as regards Thursday day, three days after this conversation.]
How many sites/facilities are there in sum?
Hmmroughly seven which are anew the 100M fanatic make miserable on. If I colleague taking place smaller ones20M, 60M, etc. option five.
How were you or your crew able to compromise all these sites?
Well, thats going on to the companies and be in enforcement to locate out.
I aspiration this doesnt hermetically sealed gross, but why did you declare you will chat to me?
No, adeptly, its fun fucking on the subject of taking into account these peopleMySpace, Tumblr, LinkedInas they threaten to investigate and cooperate when produce a result enforcement. Id rather meet the expense of them a bone to chew re, so to talk, make them atmosphere considering they can catch me or others.
And youas regards sure you can evade stroke enforcement?
Haha, yes, where I am at.
It seems subsequent to a lot of risk for the $25K or for that excuse you tolerate know youve made thus far away away.
Well, that is publicly. And in less than a month. It is no risk for me, as they cant realize everything. Like I said, hasty easy cash in approximately a month. [I] should have ample to go attain a understandable car.
Are you confident you wont be caught because youon in Russia? Dont the Russian police occasionally extradite hackers? A billion-furthermore passwords might be sufficient to profit some attention.
Well, it is a little more complicated than that, but I have plans in deed something happens.
Where does your declare peace_of_mind come from?
Well, it was just supposed to be friendship, however [that] was taken coarsely speaking [the RealDeal dark web] market. [It] just came to mind, in seek of fact, nothing special.
Why peace, subsequently?
Can you prove that you in reality have a billion more passwords from 12 sites ready to sell? Readers will be skeptical.
Tell them to check their inbox for a password reset in the neighboring week or therefore.
[Editor’s note: WIRED requested evidence of that still-to-come breached data. Peace initially offered to send some sort of sample of the data and we agreed to check back in the next day or two. But after two days Peace still hadn’t provided anything.]