FBI Just Seized the Marketplace Where Your Business Passwords Were Being Sold — Here's What to Do Right Now
This week, the FBI and Europol took down LeakBase — one of the largest online marketplaces for stolen business credentials in the world. 142,000 criminal members. Hundreds of millions of account credentials. Businesses, banks, and individuals across 14 countries affected [1][2].
If your business has ever had an employee use a password that got stolen — even years ago — there's a meaningful chance it passed through LeakBase. Here's what actually happened, what it means for your business, and the three things worth doing today.
TL;DR
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
- The FBI, Europol, and 14 partner countries dismantled LeakBase on March 3–4, 2026 in "Operation Leak" [1]
- LeakBase had 142,000 criminal members trading hundreds of millions of stolen credentials, credit card numbers, and banking details [2]
- Your business is statistically likely to have had credentials circulate through forums like this — most SMBs don't know until there's a breach
- This is the moment to run a credential audit and tighten your identity security — not because disaster is imminent, but because the cost of doing it now is far lower than the cost of a breach later
What Was LeakBase, and Why Does It Matter to Your Business?
LeakBase was not a dark-web curiosity. It was a clearnet forum — accessible in plain English, no special tools required — where cybercriminals bought and sold data stolen from real businesses and real people [1][2].
According to the U.S. Department of Justice (DoJ), the forum had been active since June
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →For context: the average small business has employees with accounts at dozens of third-party services — accounting platforms, HR tools, cloud storage, email marketing software. If any of those services suffered a breach in the past five years, those credentials likely ended up somewhere like LeakBase [3].
Law enforcement seized everything: user accounts, posts, credit details, private messages, and IP logs. The criminal network is disrupted — but the credentials that were traded are still out in the world [2].
How Stolen Credentials Actually Reach Your Business
The threat chain is simpler than most people realise. A third-party service your employee uses gets breached. Their login details (often an email and a reused password) get packaged into a "stealer log" — a structured archive of stolen credentials — and sold on forums like LeakBase [4].
Attackers then run these credentials against your business tools using a technique called credential stuffing: automated software tries thousands of stolen username/password combinations until one works [5]. According to Verizon's 2025 Data Breach Investigations Report, stolen or compromised credentials were involved in over 44% of breaches globally [6].
The average time between a credential being stolen and it being used in an attack? According to SpyCloud's 2026 research, attackers begin exploiting fresh stealer logs within 14 days of acquisition [4].
This is not a theoretical risk. It's a consistent, well-documented attack pattern that targets businesses of every size — and SMBs are disproportionately exposed because they're less likely to have continuous credential monitoring in place [3][6].
What Does a Credential Compromise Actually Cost?
According to IBM's 2025 Cost of a Data Breach Report, the global average cost of a data breach is $4.88 million USD [7]. For small and medium businesses, the proportional impact is significantly higher — a breach that costs a large enterprise 0.1% of revenue can cost an SMB 20% or more.
Account takeover (ATO) — the direct consequence of stolen credentials — is not just about lost data. It means attackers gain legitimate access to your systems, can read emails, access customer records, initiate financial transfers, and impersonate your business to your customers and suppliers [5].
The Mimecast 2026 State of Human Risk Report, released this week, found that organisations experience an average of six insider-driven or credential-related incidents per month at an estimated cost of $13.1 million per incident [8]. The scale varies, but the pattern is consistent: credential exposure is expensive.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →What Your Business Should Do Now
The takedown of LeakBase doesn't mean the threat is gone — it means one marketplace is disrupted. The credentials that were traded there are still circulating. This is a practical moment to do some housekeeping.
1. Run a credential exposure check. Services like Have I Been Pwned (haveibeenpwned.com) allow you to check whether email addresses associated with your business have appeared in known data breaches [9]. It's free, takes minutes, and gives you a clear picture of your exposure. For deeper coverage, enterprise tools like SpyCloud or Enzoic offer continuous monitoring.
2. Enforce unique passwords + a password manager. If a compromised password is unique to the service it was stolen from, credential stuffing fails immediately. A business-grade password manager (1Password, Bitwarden, or similar) makes this practical — employees don't need to remember unique passwords, just one strong master password [10].
3. Enable phishing-resistant MFA on everything that matters. Email, cloud storage, accounting tools, banking. Passkeys and hardware security keys (like YubiKey) provide the strongest protection — they're bound to the specific website, so phishing can't intercept them [5]. If passkeys aren't available, authenticator apps (Google Authenticator, Authy) are a solid second choice.
These three steps won't cost you significant time or money, and they directly address the credential stuffing attack chain that forums like LeakBase enabled [1][3].
The Bigger Picture: Why Law Enforcement Wins Like This Matter
The dismantlement of LeakBase is part of a broader law enforcement pattern: coordinated international operations targeting cybercrime infrastructure [1][2]. Previous operations have taken down Genesis Market, BreachForums, and RaidForums. Each time, criminal networks adapt and rebuild — but these operations also produce intelligence that law enforcement uses in subsequent investigations.
The seizure of LeakBase's complete dataset — all accounts, messages, and IP logs — means investigators now have a detailed picture of who was buying and selling what credentials [2]. That's useful for ongoing prosecutions and for identifying businesses and individuals whose data was traded.
According to CISA's 2025 guidance on credential threats, businesses that implement proactive credential monitoring and phishing-resistant MFA reduce their account-takeover risk by up to 99% [5]. The tools exist. The question is whether they're in place before they're needed.
FAQ
There's no public way to know with certainty, but you can check using Have I Been Pwned (haveibeenpwned.com), which indexes credentials from thousands of known breaches [9]. If any of your business email addresses appear, change those passwords immediately and enable MFA on every account that uses that email address.
The infrastructure and data have been seized by law enforcement, and multiple arrests have been made across 14 countries [2]. However, cybercriminal communities typically adapt after takedowns, and similar forums exist. The right response is to treat your credential security as an ongoing practice, not a one-time fix.
A stealer log is a structured archive of credentials harvested by infostealer malware — software that silently captures saved passwords, browser sessions, and login details from infected devices [4]. These logs are packaged and sold on forums like LeakBase. Your employees don't need to visit suspicious websites — infostealers are often delivered via phishing emails or malicious software downloads.
Yes, effectively. If an attacker obtains a username and password but can't pass the MFA challenge, they can't access the account. Phishing-resistant MFA (passkeys, hardware keys) is the strongest form because it can't be intercepted by fake websites [5]. Even basic authenticator-app MFA stops the vast majority of automated credential-stuffing attacks.
A credential exposure check takes under 30 minutes. Rolling out a password manager across a team typically takes a few hours. Enabling MFA on critical tools can be done systematically over a week. If you want help building a structured implementation plan, lilMONSTER works directly with SMBs on exactly this. Start here.
References
[1] The Hacker News, "FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials," The Hacker News, March 5, 2026. [Online]. Available: https://thehackernews.com/2026/03/fbi-and-europol-seize-leakbase-forum.html
[2] U.S. Department of Justice, "United States Leads Dismantlement of One of the World's Largest Hacker Forums," DOJ Office of Public Affairs, March 4, 2026. [Online]. Available: https://www.justice.gov/opa/pr/united-states-leads-dismantlement-one-worlds-largest-hacker-forums
[3] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[4] SpyCloud, "January 2026 Cybercrime Update," SpyCloud Blog, January 2026. [Online]. Available: https://spycloud.com/blog/january-2026-cybercrime-update/
[5] CISA, "Phishing-Resistant MFA Fact Sheet," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
[6] Verizon, "2025 Data Breach Investigations Report — Credential Theft Statistics," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[7] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/[data-breach](https://lil.business/blog/trizetto-vendor-breach-dwell-time-smb-security-checklist-2026/)
[8] Mimecast, "State of Human Risk Report 2026," Mimecast, March 4, 2026. [Online]. Available: https://www.globenewswire.com/news-release/2026/03/04/3249036/0/en/Mimecast-Study-42-of-Organizations-Report-Rise-in-Malicious-Insider-Threats-Over-Past-Year.html
[9] Troy Hunt, "Have I Been Pwned — About," haveibeenpwned.com, 2025. [Online]. Available: https://haveibeenpwned.com/About
[10] NIST, "Special Publication 800-63B: Digital Identity Guidelines," National Institute of Standards and Technology, 2024. [Online]. Available: https://pages.nist.gov/800-63-3/sp800-63b.html
Your business credentials are worth protecting — not because hackers are lurking around every corner, but because a password manager and MFA take an afternoon to set up and can prevent months of painful recovery. If you want a second pair of expert eyes on your current setup, book a consultation with lilMONSTER — we help SMBs build practical security that actually holds up.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →The FBI Just Closed a Giant Swap Meet for Stolen Passwords — And Your Business Passwords Might Have Been There
ELI10 Edition — explained like you're 10, no jargon required.
TL;DR
- The FBI and international partners just shut down a huge online marketplace called LeakBase where criminals bought and sold stolen passwords [1][2]
- 142,000 criminals were members. Hundreds of millions of stolen passwords were traded there [2]
- Your business passwords may have passed through places like this — most business owners never find out until something goes wrong
- Three simple fixes can dramatically reduce your risk: check your exposure, use a password manager, turn on MFA
Imagine a Giant Flea Market for Stolen Keys
Picture a massive flea market. Instead of vintage lamps and old records, everything for sale is stolen house keys. Keys to offices, filing cabinets, safe deposit boxes — thousands of them, sorted neatly by type.
That's basically what LeakBase was. Except instead of physical keys, the criminals sold stolen passwords and login details for businesses, bank accounts, and personal accounts — hundreds of millions of them [1][2].
This week, the FBI teamed up with police forces from 14 countries and shut the whole thing down. They seized everything: the website, the inventory, the records of who bought what, and the chat logs between criminals. The flea market is closed [2].
How Did Those Passwords Get There in the First Place?
Here's the part most people don't expect: your business doesn't have to get hacked directly for your passwords to end up somewhere like LeakBase.
All it takes is for one of the apps or websites your employees use to get hacked. Maybe it's a project management tool. Maybe it's an online accounting service. When that service gets breached, the criminals package up all the stolen usernames and passwords into a tidy bundle — called a "stealer log" — and sell it [3][4].
If an employee used the same password for that service as they do for your business email or your banking portal? Criminals now have the keys to those too.
Think of it like this: if a locksmith who made copies of your keys gets robbed, the thief now has copies of your keys — even though your office was never broken into.
What Does This Mean for Your Business?
The flea market is closed, but the stolen keys are still out there. Law enforcement has the records, which is good for future investigations. But it doesn't mean every stolen password evaporates overnight.
The way criminals use stolen passwords is methodical. They run automated software that tries thousands of stolen username/password combinations across popular business tools — email, cloud storage, accounting software — until something works. Security researchers call this "credential stuffing" [5].
According to Verizon's research, stolen passwords are involved in nearly half of all business data breaches [6]. It's one of the most common ways businesses get compromised, and it's also one of the easiest to prevent.
Three Things You Can Do Today (None of Them Are Complicated)
1. Check if your business email addresses have been in a breach. Go to haveibeenpwned.com — it's free. Type in your email address. It'll tell you if it appeared in any known data breaches. If it did, change that password everywhere it's used and switch on two-factor authentication [7].
2. Get a password manager. A password manager (like 1Password or Bitwarden) creates and remembers long, unique passwords for every account. Your employees only need to remember one strong master password. If a service gets breached, the damage stops there — the stolen password doesn't work anywhere else [8].
3. Turn on two-factor authentication (2FA/MFA) for your important accounts. This adds a second lock to your door. Even if criminals get your password, they still can't get in without your phone or your security key. Start with email, banking, and cloud storage — those are the most valuable targets [5].
These three steps cost almost nothing and take a few hours to set up. They address the exact attack method that LeakBase enabled.
Why This Is Actually Good News
It might feel like bad news — another story about stolen passwords and criminals. But the dismantlement of LeakBase is a genuine win for law enforcement and for businesses.
Operations like this don't just take down one marketplace. They give investigators access to full records of criminal activity — who was buying, who was selling, what was traded [2]. That intelligence feeds future prosecutions and disruptions.
The security community has better tools and monitoring than ever. The steps to protect your business credentials are well-understood, accessible, and cheap. The businesses that get hurt by credential theft are almost always the ones that didn't take the basic precautions.
You're reading this now. That puts you ahead.
Your Action List
- Go to haveibeenpwned.com and check your business email addresses (10 minutes)
- Set up a business password manager — 1Password Teams or Bitwarden Business are both solid options (2–4 hours)
- Enable MFA on email, banking, and cloud storage accounts (1–2 hours)
- Ask your team to do the same for personal accounts they use at work (send them this post)
If you want help building this out properly across your whole team, that's exactly what lilMONSTER does. Book a free consultation here.
FAQ
No. Have I Been Pwned is a simple website — you type in an email, it gives you a result. Password managers are designed for regular people to use. Most MFA setup is a 5-minute process that apps walk you through.
Don't panic. Change the password for that account immediately, enable MFA if you haven't, and check whether you used that same password anywhere else. Change those too.
No — actually the opposite. Large enterprises have dedicated security teams watching for credential exposure. Most small businesses don't, which makes them attractive targets for automated attacks [6].
It generates and stores a unique, random password for every website and app. If one service gets breached, the stolen password is useless everywhere else because you never reused it. It also flags if a site you use has been breached [8].
The infrastructure is seized and the data is in law enforcement hands. But similar forums exist, and new ones emerge over time. That's why credential hygiene is an ongoing habit, not a one-time fix [2].
References
[1] The Hacker News, "FBI and Europol Seize LeakBase Forum Used to Trade Stolen Credentials," The Hacker News, March 5, 2026. [Online]. Available: https://thehackernews.com/2026/03/fbi-and-europol-seize-leakbase-forum.html
[2] U.S. Department of Justice, "United States Leads Dismantlement of One of the World's Largest Hacker Forums," DOJ Office of Public Affairs, March 4, 2026. [Online]. Available: https://www.justice.gov/opa/pr/united-states-leads-dismantlement-one-worlds-largest-hacker-forums
[3] SpyCloud, "January 2026 Cybercrime Update," SpyCloud Blog, January 2026. [Online]. Available: https://spycloud.com/blog/january-2026-cybercrime-update/
[4] Flare.io, "Dark Web Forums Report," Flare Security, 2023. [Online]. Available: https://flare.io/learn/resources/blog/dark-web-forums
[5] CISA, "Phishing-Resistant MFA Fact Sheet," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-01/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
[6] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[7] Troy Hunt, "Have I Been Pwned — About," haveibeenpwned.com, 2025. [Online]. Available: https://haveibeenpwned.com/About
[8] NIST, "Special Publication 800-63B: Digital Identity Guidelines," National Institute of Standards and Technology, 2024. [Online]. Available: https://pages.nist.gov/800-63-3/sp800-63b.html
Security doesn't have to be complicated or scary. It just has to be done. If you're not sure where to start or you'd like an expert to look at your current setup, lilMONSTER offers practical, no-jargon cybersecurity consultations for small businesses.
