Ironically, the database for the defunct hacker forum and data breach marketplace called WeLeakData.com is being sold on the dark web and exposes the private conversations of hackers who used the site. WeLeakData.com was a hacker forum and marketplace that primarily focused on discussing, trading, and selling databases stolen during data breaches and combolists that are used in credential stuffing attacks.
The biting irony of the situation aside, the serious takeaway is that no data is safe. Not even the data generated, collected, and stored by the people engaged in intrusion and data theft, by those who know intimately how defence tactics can be overcome for their own purposes (and potential gain). The presumption that your security measures are enough and foolproof leads to complacency and potentially damaging exposure. It’s a cautionary tale for any organisation engaged in legal corporate activities to rethink everything about how you’re protecting sensitive, mission-critical data. If exposure of leaked data can happen to knowledgeable threat actors, then it can certainly happen to you.
Always assuming that your defences can be breached and that sensitive data can be accessed and exposed (or leaked) is the starting point of a strong data-centric security posture. By employing data-centric security measures such as tokenization, which renders sensitive data meaningless (preferably as soon as first touch within your corporate workflows), you can be better assured that data leaving your protected perimeter, either intentionally or unintentionally, won’t compromise your organisation. In this way, you safeguard not only your best interests but also those of your customers, partners, and anyone else with whom you do business.