Leak Box – Anonymous Vulnerability & Data Leaks Reporting
We've developed the Leak Box to help cybersecurity analysts continue making the internet safer, without risking their own safety.
Cybersecurity analysis is potentially dangerous work. Many companies are hostile to the people trying to help them, by ensuring they’re not endangering their customers, and leaking sensitive data out into the open.
With the Leak Box, analysts can anonymously report any data leaks they find through legal methods, and we’ll take care of the rest. We work with companies, cybersecurity specialists, legal experts, and data regulatory bodies to safely verify and close any leaks submitted.
They have more time to focus on fighting against criminal hacking and online fraud, without worrying about facing any recriminations for doing so.
To view the Leak Box on the dark web, copy and paste this URL into the Tor browser:
Who We Are
vpnMentor is a leading authority on cybersecurity and data privacy.
Our Research Lab is a pro bono service that strives to help the online community defend itself against cyber threats, while educating organizations on protecting their users’ data.
Our cybersecurity analysis research team, led by renowned analysts Noam Rotem and Ran Locar has discovered and disclosed some of the most impactful data leaks in recent years.
Since the Research Lab was founded in early 2019, we’ve published over 50 reports on data leaks affecting individuals and companies all over the world. We estimate 100,000,000s of people have had their data leaked in the breaches we’ve published in the last year alone.
We use expert techniques and state-of-the-art tools, many of which we developed internally, to investigate every leak thoroughly, and work with all parties to ensure it’s closed ASAP.
Cybersecurity analysts risk their livelihoods every time they find a leak.
If they report it, companies often fight back, take legal action, and discredit someone’s good name and reputation.
When this happens, fewer leaks are reported and internet users are unknowingly exposed.
We have the experience to safely report data leaks and work directly with companies, hosting providers, and CERTs to ensure any vulnerabilities are dealt with and no retaliation takes place.
Experience – Our team is led by renowned researchers with many years of experience, who continue to find new data leaks on a daily basis.
Legal expertise – We ensure that everything we do is legal and we’re never at risk of breaking any laws. In any case of doubt, we work with our legal team to ensure every step we take is legal and safe.
Resources – We work with 2 of the leading figures in cybersecurity analysis, Noam & Ran, who have built a customized detection system for finding data leaks anywhere on the global internet.
Make the internet safer – Every leak that gets reported and closed protects innocent people, and companies, from hacking, fraud, and attack by criminal hackers.
Protect cybersecurity analysts – So they can keep providing an invaluable service to the world, while remaining anonymous and safe.
How Does The Leak Box Work?
The Leak Box is hosted on the Dark Web, guaranteeing complete privacy to all users.
Anyone who wants to safely report a data leak or vulnerability via the Leak Box can follow three simple steps:
Step 1: Connect to a VPN
Step 2: Open the Tor Browser and visit this URL:
Step 3: Follow the instructions on the screen to safely and anonymously report any leak.
Once we receive the files, we follow a strict process to confirm the details of any leak or vulnerability.
If we’re unable to verify the details of a submission from the information provided, or find the report lacking in any way, we may ask for additional information, or decide not to proceed with an investigation.
Even if we’re investigated or pressured into providing details of the people submitting leaks, we’ll be unable to do so. By hosting the Leak Box on the dark web, it’s impossible for us to trace any entry back to the person who submitted it.
Is your process secure?
Yes, we built the Leak Box on the Dark Web to function perfectly without requiring any personal information from the cybersecurity analysts submitting reports.
The process relies on the fact that we cannot disclose what we don’t know, even if forced to do so by legal means.
The entire system operates on the dark web using a special “onion” domain, which means that we have no technical way of knowing who is using our platform unless they choose to disclose that information. We don’t ask for an email address or any other identifying information, we only care about the data.
The concept is based on the famous “secure-drop” system developed by the late Aaron Swartz, but less complicated to use and to operate, due to the nature of the operation.
NOTE: If anybody is looking to leak top-secret government documents that may risk your life, we urge you to use one of the “secure-drop” systems on the dark web.
What about privacy?
We will never ask someone to provide any personal information or details that could be used to identify them.
The Leak Box is hosted on the dark web, so we’ll never be able to trace anyone’s identity from their uploads.
However, people need to take measures to ensure the data uploaded does not contain meta-data that could compromise them (like EXIF data on images, author properties on word documents, etc.)
Are you going to reach out to the companies disclosed in every submission?
We always disclose the leaks we investigate to any parties involved, to ensure that any vulnerability is closed and peoples’ data protected from leaking to malicious or criminal hackers.
However, we can’t guarantee every leak and vulnerability will be safely secured. Based on our experience, companies can be slow to act on data leaks, and even hostile to people reporting them.
It often takes a lot of work, reaching out to hosting providers and the relevant CERTs and government data privacy agencies, before we see results.
This process can take a long time and, occasionally, the issue is never fixed. But we will always do our best to see that any leak or vulnerability is closed.
Do you publish reports about every leak?
From time to time, we might publish a report on the leaks uploaded on the tool.
We can’t promise about a timeline as the Lab is pro bono and we have our own “web mapping”, but we do our best to address Leak Box submissions as quickly as possible.
No details of the security researcher who provides the leak will be reported. It will remain anonymous. And untraceable.
What kind of information can somebody report using your anonymous platform?
Any data leak, breach, or vulnerability that was discovered through legal methods, for the purpose of improving the security of the web, rather than criminal activity or personal gains.
We DO NOT handle any of the following:
- Information obtained using unethical methods like unauthorized phishing, unauthorized physical access, and other aggressive methods
- systems that have been exploited for the purpose of harming the users or the company that manages them
- Any leaks in which the researcher has already contacted the affected parties before reaching out to us
Why should ethical hackers trust you?
Since early 2019, through our Research Lab, we’ve worked with countless journalists, CERTs, and companies to secure over 50 databases and similar systems.
As a result, the private data of 100s of millions of people has been saved from leaking to malicious hackers and cybercriminals.
Every day, we discover more data leaks, many of which are reported in the biggest news and tech websites across the globe.
Let us know your quick tips
While the Leak Box has been designed to guarantee the utmost privacy, we are not legally liable for any outcomes, and cannot be held responsible for anyone’s safety.
We treat the information submitted discreetly and carefully, and if we feel we cannot guarantee someone’s privacy, they’ll be informed and given a choice on how to proceed.
We also ask people submitting to the Leak Box not to tell us who they are, nor provide any details that may lead to their exposure. It is also in our favor that we cannot be coerced to reveal what we don’t know.
However, we will try to verify any information submitted and its origin.