Mozilla Ends Partnership with Onerep Over Data Broker Connections

Mozilla has announced the termination of its partnership with Onerep, a service recently bundled with Firefox that offers to remove users’ personal data from various websites. The decision comes after revelations that Onerep’s founder, Dmitry Shelest, has ties to numerous networks specializing in the search and sale of personal data, as well as to the data broker Nuwber.

Background and Investigation

Mozilla’s decision is based on an investigation by renowned cybersecurity journalist Brian Krebs. Earlier this month, Krebs published a detailed analysis on his blog, KrebsOnSecurity, revealing that since 2010, Shelest has created and launched dozens of services focused on searching for and selling user data, including the still-operating data broker Nuwber, which sells reports containing biographical information about individuals.

Mozilla began integrating Onerep into Firefox last month, announcing that the reputation service would be offered as part of the Mozilla Monitor Plus subscription. Originally launched in 2018 as Firefox Monitor (now Monitor Plus), the service was designed to protect users from data breaches and was developed in collaboration with the breach aggregator Have I Been Pwned (HIBP), created by cybersecurity expert Troy Hunt. Initially, Firefox Monitor allowed users to check if their email addresses and associated accounts had been compromised.

Onerep Integration and Controversy

After integrating Onerep, users were also given the ability to find out on which data broker sites their personal information (including name, current and previous home addresses, and phone numbers) was present. The service also offered to search for more detailed leaks, such as family member names, criminal records, hobbies, and more. If data was found, users could send an automated removal request.

Now, Mozilla representatives have stated that the organization is discontinuing its relationship with Onerep as a service provider for Monitor Plus. “While customer data was never at risk, the external financial interests and activities of Onerep’s CEO do not align with our values,” Mozilla said in a statement. “We are currently working on a transition plan to ensure uninterrupted product use for our customers and to continue prioritizing their interests.”

Founder’s Response and Further Details

Following Krebs’ investigation, Onerep’s founder published a statement admitting that he does indeed own a stake in Nuwber, a data broker he founded in 2015 (around the same time Onerep was launched). Shelest wrote, “I understand. My connection to the people search [and data collection] business may look strange. In reality, if I hadn’t gone down this path and deeply studied how people search sites work, Onerep wouldn’t have the best technology and team in this field. Still, I now realize we haven’t always made this clear in the past, and I intend to correct that going forward.”

Krebs’ investigation also claimed that around 2010, Shelest’s email address was used by a partner of Spamit, a Russian-speaking group that paid people to aggressively promote websites advertising unlicensed pharmaceuticals. This connection was reportedly confirmed by research from several graduate students at George Mason University. Shelest denies any connection to Spamit.

“From 2010 to 2014, we created and optimized several web pages (a common SEO practice) and then placed AdSense banners on them,” Shelest explained, apparently referring to dozens of people search domains linked to his email addresses. “As we grew and learned more, we saw that many of the requests we received were related to people.”

Shelest also admitted that Onerep pays for advertising on “a few data broker sites in very specific cases.” He claims the ads are only shown if a person “manually fills out an opt-out form,” and the goal is to inform people that “there is a more automated opt-out option, such as Onerep.”

Industry Reactions and Ethical Concerns

Troy Hunt, the founder of Have I Been Pwned, told Krebs that he was aware of discussions between Mozilla and Onerep but was not aware of the many conflicts of interest that have now come to light. “I knew Mozilla was considering the idea, and we briefly discussed it when talking about Firefox Monitor. At the time, I explained the same thing I tell many companies wanting to advertise data removal services on HIBP: removing your data from legally operating services will have minimal effect. And you can’t remove it from outright illegal sites, which cause real harm,” Hunt explained.

Krebs concluded that while such “playing both sides” may be unethical or wrong, it is entirely legal. Data brokers, people search and collection services, and “reputation management” services like Nuwber and Onerep exist largely because in most U.S. states, so-called “public” and “government” records are simply excluded from consumer data protection laws.