[varenc]

> knowingly purchasing another party’s stolen data without that party’s authorization can pose some legal risk. It is much more likely to raise questions about the purchaser’s motives and result in scrutiny from law enforcement and the legitimate data owner, particularly if a trade secret is involved.

So if you're buying password dumps only to protect your own users from account takeover then you're unlikely to face legal consequences? However, that's not ironclad and not explicitly protected by the law. No promises.

I know some large sites will use illicit passwords dumps to revoke re-used passwords for their own users. Though they'll be very obtuse and just tell users something like "your password has expired". Given the fuzzy legality of this practice, I can understand why.

[tptacek]

Also, there's a potential gap between "protecting your users" and "selling protection for users to other companies" that you'd really like to see clarified, if you're a vendor who buys password dumps to provide a commercial ATO service.

[djehh3r7d]

Most lawyers would still say not to do this to a small client with limited resources to defend themselves. A more well funded client would be walked through a process that combines obfuscation with plausible deniability. Being scrutinized is just as bad as being put on trial when the alternative is a zero risk position. So when you collect the data you need a strategy that minimizes being noticed (or being noticed by a party that is allowed to act), executes in a way that produces minimal evidence (or the kinds of evidence a lawyer can't have dismissed), and which might violate the spirit of the law but not its letter (unless you're European because they find writing real laws cumbersome).