Mozilla, the nonprofit that develops the Firefox browser, said today that it will end its new partnership with Onerep. Onerep is an identity protection service that was recently bundled with the Firefox browser to remove users from hundreds of doxing sites. The move comes days after a report by KrebsOnSecurity forced Onerep's CEO to admit that he had created dozens of doxing networks over the years.
Mozilla Monitor
Mozilla only started bundling Onerep in the Firefox browser last month, when it announced that it would offer a reputation service on a subscription basis as part of Mozilla Monitor Plus. Mozilla Monitor, launched in 2018 under the name FirefoxMonitor, also examines data from websites Have I Been Pwned?, in order to notify users if their email address or password is compromised in a data breach.
On March 14, KrebsOnSecurity published a report revealing that Dimitiri Shelest, the Belarusian CEO and founder of Onerep, has launched dozens of people search services since 2010, including a still-operating data brokerage called Nuwber, which sells people background reports. Onerep and Shelest did not respond to requests for comment on the story.
But on March 21, Mr. Schelester issued a lengthy statement acknowledging that he still held a stake in Nuwber, a consumer data brokerage he founded in 2015, about the same time he started Onerep.
Mr. Shelester insisted that Nuwber had "no crossover or information sharing with Onerep" and said that any other old domains that could have been discovered and associated with his name were no longer operated by him.
"I see," Schleister wrote. "From the looks of it, my relationship with doxing companies may be odd. In fact, if I hadn't researched how the search site works, Onerep wouldn't have the best technology and team in the field. Still, I'm grateful that we haven't made this clearer in the past, and my goal is to do better in the future. Please (PDF) for the full text of the statement.
Dimitri Shelest, CEO & Founder, Onerep
In a statement released today, a Mozilla spokesperson said that Mozilla will no longer use Onerep as a service provider for its Monitor Plus product.
"While customer data has never been at risk, the outside financial interests and activities of the Onerep CEO are not aligned with our values," Mozilla wrote. "We are now working to solidify the transition plan, provide a seamless experience for our customers, and continue to put the interests of our customers first. "
KrebsOnSecurity also reported that Shelest's email address had been used around 2010 by an affiliate of Spamit, a Russian-language organization that paid people to promote websites that peddled male enhancement drugs and generic drugs.
Schelester has denied any association with Spamit. "Between 2010 and 2014, we published a few web pages and optimized them — a widely used SEO practice — and then ran AdSense banners on them," Schelester said, referring presumably to the dozens of people KrebsOnSecurity found connected to his email addresses ([email protected] and [email protected]) to search for domains. "As we progressed and learned, we found that a lot of the counseling was specific to the individual."
Schelester also admitted that Onerep paid to advertise on "a small number of data intermediary websites" "in very exceptional circumstances."
Shelest wrote, "Once someone manually fills out the opt-out form themselves, our ad is delivered. Our goal is to let them know that if they get exposed on that site, there may be other sites, and to make them aware that there is a more automated opt-out option, such as Onerep. "
Troy Hunt, founder of HaveIBeenPwned, said he knew Mozilla was considering partnering with Onerep, but he wasn't previously aware that the Onerep CEO had many conflicts of interest.
Hunt told KrebsOnSecurity: "I know Mozilla is doing this, and we've talked about it when we're talking about Firefox Monitor. The point I made to them is the same as I make to companies that want to run data broker removal ads on HIBP: the impact of removing your data from a legally operated service is minimal, and you can't remove data from an outright illegal service that is causing real damage. "
In the United States, this is not illegal. Collecting and selling Americans' data is also not illegal. The problem, privacy experts say, is that data brokers, interpersonal search services like Nuwber and Onerep, and online reputation management companies exist because almost all states in the U.S. exclude so-called "public" or "government" records from consumer privacy laws. These records include voting registrations, property declarations, marriage licenses, motor vehicle records, criminal records, court documents, death records, occupational licenses, and bankruptcy filings. Data brokers can also enrich consumer records with more information by adding social media data and known associates.
The March 14 story on Onerep is the second in a series of three investigative reports published here this month that investigated the data brokering and people search industries and highlighted the need for more congressional oversight, if not regulation, of consumer data protection and privacy.
On March 8, KrebsOnSecurity published an article titled "A Closer Look at Consumer Data Broker Radaris," which revealed that the co-founders of Radaris run several Russian-language dating services and affiliate programs. Many of their businesses also appear to have ties to a marketing firm in California that has a partnership with Russia's state-run media conglomerate, which is currently under U.S. government sanctions.
On March 20, KrebsOnSecurity published an article titled "Non-Real Doxing Networks from China," exposing an elaborate network of fake doxing companies and executives whose purpose was to obscure the location of doxing's branches in China, which were making money for U.S.-based data brokerages that sold Americans' personal information.