Indexeus.net looks like it could have been a Y Combinator project. With a slick design, snappy copy, and a bitcoin-based payment system, it looks unusually legit. But what the site is hiding is the produce of hundreds of hacking efforts from around the web.
I’ve left out the link because it’s unclear if the site may deliver malware now or in the future. You can type it in if you’re curious.
While the tagline “Account recovery & Consultancy made easy!” sounds innocuous, Indexeus is a database of stolen names and passwords. According to Brian Krebs, the database includes stolen passwords from the recent Adobe and Yahoo hacks. But, according to the site’s crawling file, available here, the site also indexes all of the major hacks performed against hacker forums themselves. This means that the personal data of various bands of script kiddies are also indexed here.
I tested the site today with my own name as well as President Obama’s. I found one record that matched me – it cost 50 cents in BTC to view – and 11 records for the President. The data it found on me was useless.
Because all of these hacked accounts are now indexed using the site, hackers themselves are getting nervous. Writes Krebs:
You can also pay to blacklist content that you don’t want to appear on the site, which is quite a feature. Given that the hackers have been hoisted on their own petard, it’s a delightful bit of Schadenfreude.
Krebs tracked down the creator of the index, Jason Relinquo from Lisbon, Portugal, and even asked the young man a few questions about his service. While it’s unclear how accurate this data is right now, it’s clear that a solid programmer with a little chutzpah could recreate this ad infinitum, creating multiple databases of hacked data that would pop up like hydra heads. Interestingly, Relinquo is not fixing the site to be compliant with Europe’s Right to be Forgotten laws, which, I suspect is exactly what some of the hackers he’s cataloged would appreciate.