Skip navigation
× You have 2 more free articles available this month. Subscribe today.

Firms Selling Breached and Hacked Data To Law Enforcement

by Anthony W. Accurso

SpyCloud, a company that collects private information on people, mostly info exposed through data breaches, sells access to its databases to anyone willing to pay for it, including law enforcement. While it currently operates in an area of law mostly untouched by precedent, people should be aware of how it may be aiding abuses of the justice system.

Data breaches seem ever more common these days, and it seems like companies of various kinds announce breaches whole vowing to increase security. But what happens to the data that was breached?

To increase their credibility in online communities, hackers post the data for everyone to see. It’s the equivalent of posting a picture of the company’s dirty underwear, except that these data breaches can often be more problematic for the company’s users than for the company itself. For instance, when, a site popular for those seeking discrete, extramarital affairs, was hacked, there were a great many angry spouses who learned their husbands and wives were cheating.

The next evolution of this problem has manifested in the form of SpyCloud, a company that aggregates this data (and more), and sells access to everyone.

But SpyCloud doesn’t just sell data that’s been breached. Often, breached datasets include a username and an encrypted copy of the user’s password. Companies encrypt the passwords specifically in hacked case that info is leaked. SpyCloud takes the time to decrypt the passwords. A “customer” of SpyCloud could pay for access, possibly locate their spouse’s username and password to a random shopping site that was breached, and then use that username and password on other sites, like Facebook.

What is especially worrisome is that SpyCloud advertises to law enforcement. It claims it’s “empowering investigators by giving them data they can use against criminals,” according to

“It’s disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process,” said Riana Pfefferkorn of the Stanford Center for Internet and Society. “Normally, if the police want to find out, say, what IP address is associated with a particular online account, they do have to serve legal process on the service provider. This is an end-run around the usual legal process.”

It was outrageous when Edward Snowden revealed the NSA was hoovering up our metadata. Now, thanks to SpyCloud, the FBI or ICE may be able to read your Facebook or Instagram messages without your permission. We have a Fourth Amendment, which requires warrants for such activities, for the very purpose of preventing such wide-ranging spying on citizens.

This will likely continue until courts tell the agencies they can’t ... if that ever happens.



As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login



Prison Phone Justice Campaign
PLN Subscribe Now Ad 450x450
Federal Prison Handbook - Side