Ontario man arrested for selling stolen digital information

RCMP have linked an Ontario man to a website that was selling stolen personal identities.

The website, LeakedSource.com had more than 3 billion hacked accounts, many with user names and passwords. The good news, if there is any in all this, is that these weren't new hacks. 

These personal accounts had already been compromised in some widely-publicized breaches.  RCMP allege that 27-year-old Jordan Evan Bloom was selling them through his website and making a pile of cash.

Remember the story back in 2015 when the married dating site Ashley Madison was hacked? 

Fast forward to today with the arrest of Jordan Evan Bloom of Thornhill, Ontario.   RCMP allege Bloom bought stolen identity accounts through breaches like the Ashley Madison one, and LinkedIn from the Dark Web and was selling them through his website LeakedSource.com.

Staff-Sergeant Rosa Maurizio is with the RCMP, “Bloom's website contained more than 3 billion compromised identity accounts; half of these contained user names and passwords.”

• Ontario man ran site that peddled billions of pieces of personal data: RCMP

RCMP say Bloom's website earned him more than a quarter of a million dollars.  It's since been shut down.

Police started investigating Bloom a year and a half ago after being contacted by the Dutch National Police.  

“What I would like to say as a message to Canadians,” Maurizio told a news conference today, “is that security on internet is not a onetime deal.  It is incumbent on every one of us to make sure our information is protected.”

Bloom appeared in court today on 4 charges, including trafficking in identity information.   Trend Micro’s Mark Nunnikhoven, who is an expert in cyber security, says for the victims, getting their identity information back is a challenge.

“We know how easy to copy a file at home,” he says, “It's that easy for your information to propagate through the digital underground.”

The key he says is to protect it from the start using different passwords for different accounts or using a password manager. 

Nunnikhoven says there are legitimate sites to see if you have been hacked.  He recommends one called haveibeenpwned.com. You just put in your email address.  It's free and showed me two breaches I didn't know about including one on Linked In.

“That password is no longer any good for you.  You should be changing your passwords once a year or if there's an indication of a breach,” he says.

After Bloom's site "LeakedSource.com" was shut down another one with the same name popped up.  RCMP believe it is being hosted on servers in Russia.