Indexeus temporarily tilted the odds in its favor – the search engine targeted hackers by listing their passwords and other information in its search results. The service wanted a dollar “donation” from each hacker listed to get their information removed from its search results.
The situation is the reverse of the typical hacker-search engine report. For the hackers, targeting a search engine is typically the more common situation than being the target of one. The reason why Indexeus decided to go forward with this campaign is in order to draw attention to the new search engine. The European Union-based search engine now allows free removal requests in compliance with the recent “right to be forgotten” ruling. Its campaign was meant to draw attention to the new search engine.
Like many hackers, the information Indexeus was threatening to reveal was illegally obtained. The site collects data from forums and repositories of information gathered by hackers. It has information from more than 100 data breaches. Indexeus’ function is to gather it in an attempt to get it removed.
Indexeus founder Jason Relinquo told Krebs on Security that he wants the search engine to be a tool to do good by providing information.
“I want this to grow and be a reference, and at some point by a tool useful enough to be used by law enforcement,” said Relinquo in his interview with the security blog. He continued that minors’ personal information could always be removed for free.
The whole purpose of Indexeus is to make people more aware of their online security, which they sometimes undermine. On Indexeus’ FAQ page, this purpose is described in greater detail:
“This is a service, which provides easy access to hundreds of databases, which is very useful if you don’t want to bring your databases around or if you just don’t have any. The goal is to make people realize that using the same information all over is stupid and will lead to you getting your information stolen, but also showing you how badly administrators keep your private data stored.”
The whole online stunt was successful in that it drew attention to the hazards of putting personal information online. It only takes one successful cyberattack for users’ information to wind up on a hacker’s computer. The stacks of information on Indexeus’ database came from data breaches. In using it in an attempt to get hackers to pay to get their information removed, the website drew further attention by creating a scenario that more commonly happens in reverse.
The availability of private information online in a place where Indexeus’ Relinquo was able to find it to build the search engine shows that online privacy and security threats are real, since hackers may already have a user’s information without their knowledge. After all, assuming the $1 per record had actually happened, it would have made Indexeus $10 million.