May 25, 2015 · 2 minutes

How's this for karma: A researcher claims to have identified email addresses, phone numbers, and Facebook accounts belonging to users of the Hacker's List marketplace. In other words, the people looking to hire hackers have themselves been "hacked."

Hacker's List is meant to "connect people who need professional hackers to professional hackers for hire around the world" through what it calls a "safe, fast, and secure" website. Some #brand experts might call it "Uber for hackers."

Jonathan Mayer, the researcher who studied the website, used a simple Web crawler and took advantage of a public API to learn about the people visiting the website. Here's how he summarizes many of the marketplace's listings:

The requests on Hacker’s List are overwhelmingly cheap and unsophisticated. The median project is priced from $200 to $300, and many descriptions reflect technical misunderstanding. Hacker’s List certainly isn’t representative of the market for high-end, bespoke attacks. But the site does seem a fair cross-section of the hacks that ordinary Internet users might seek out.
Many requests had something to do with Facebook or Google, and were motivated by "a business dispute," "jilted romance," or a desire to bury information in what Mayer describes as "an ersatz Right to be Forgotten."

Fusion reached out to people implicated in Mayer's research to see how they felt about the cosmic justice of having their personal information revealed because they posted on the all-too-appropriately-named Hacker's List. One response:

One user, who signed up as 'NeedHelp' but was exposed as Steven in an email, wanted a hacker to 'guarantee he’d be accepted to the university' of his choice. He said he received responses but 'nothing serious.' When I asked if he was surprised at being outed for using the site, he said, 'I feel as exposed to doing this as you would to changing your clothes in a public dressing room… you know the risks.'
This isn't the first time something like this has happened, and it won't be the last. Earlier this year, a list of people who paid the Lizard Squad hacking group to perform distributed-denial of service attacks was made available when the group's website was hacked. As I wrote when that incident was made public:
Details about the people who used Lizard Squad’s tool to attack various websites were said to have been held in a plain-text database — an odd choice, considering the ease with which anyone could view information about the tool’s usage. I’d think a hacking group offering an illegal tool that can only be paid for with Bitcoin would’ve been more careful.
The same could be said of Hacker's List. I mean, it has "hacker" right in the name, and it didn't stop to think that perhaps it would be best if customer information wasn't available to anyone who can use a simple Web crawler?

[illustration by Brad Jonas]