SpyCloud is Selling Hacked Data to Police via Loopholes


Companies such as SpyCloud has been revealed to be selling compromised information to law enforcement by bypassing the legal process, said Vice. Types of data involved include passwords, IP addresses, email addresses, usernames, and phone numbers.

In webinar slides acquired by multiplatform media publication Motherboard from a concerned source, it was found that SpyCloud has been offering hacked data to prospective customers including the police.


According to the webinar, the cybersecurity firm seeks to “empower investigators from law enforcement agencies and enterprises around the world to more quickly and efficiently bring malicious actors to justice.”

SpyCloud is Selling Hacked Data to Police

Motherboard got in touch with SpyCloud co-founder and chief product officer Dave Endler who confirmed the authenticity of the slides. Endler said, “We’re turning the criminals’ data against them, or at least we’re empowering law enforcement to do that.”


When contacted by Business Insider, Endler said that such information has already been made public due to the breach, which means that it is accessible by anyone including those in criminal communities.

Vice noted that this type of offering makes a “somewhat use of breach of data.” It also shows that commercial data that have been stolen by cyber attackers can be “repurposed by law enforcement.”

The caveat

One concern regarding this kind of offering is that law enforcement who buys hacked data would also be able to access the compromised info of individuals who are not suspects or who are not linked to criminal activity.

Another significant issue that arises from SpyCloud’s sales of compromised information is that the police have been going around the legal process of acquiring relevant info related to criminal activity.

In correspondence with Motherboard, Riana Pfefferkorn, Stanford Center for Internet and Society associate director of surveillance and cybersecurity, said that “it’s disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process.”

The normal process that the police should follow entails that they file a legal request to the service provider. However, offerings by companies like SpyCloud bypass the legal process.

The fact that the police are using taxpayers’ money to “capitalize on breaches,” thus further victimizing those affected by cyberattacks, according to Pfefferkorn. The cybersecurity specialist also noted that such activities are ethically concerning.

Meanwhile, Endler told Business Insider that law enforcement buying such data only serves to shorten the legal process instead of eliminating it.