Over 23,000 hacked databases were released for download on several hacking forums and Telegram channels. The leak originated from a defunct data breach index site Cit0day.in, previously advertised on hacking forums and other underground sites.
A fake FBI takedown notice later appeared on the site suggesting that the culprits were detained by authorities. It remains unclear if the site owners released the data or whether a rival gang was responsible. Threat analysts are calling the breach the biggest of its kind.
Origin and use of the hacked databases
Cit0Day was responsible for collecting hacked databases and publishing them on their illegal site.
The site owners allowed other cybercriminals to access the data through daily or monthly subscriptions. The cybercriminals would then use this information to compromise users’ accounts on various online platforms.
Data breach indexing is hardly a new concept because several similar sites existed before Cit0Day. Examples include LeakedSource and WeLeakInfo, which were impounded by cybersecurity authorities in 2018 and 2020, respectively.
Cit0Day launched immediately after the authorities seized LeakedSource. The hacked databases indexing site was then aggressively marketed on both public and underground hacking forums such as BitcoinTalk.
Hackers falsified the takedown notice
On September 14, an FBI and DOJ seizure notice appeared on Cit0Day’s main domain. Rumors circulated that authorities had detained the site owner identified by the pseudonym, Xrenovi4. However, KELA Product Manager Raveed Laeb, told ZDNet that the notice was copied from the Deer.io takedown.
Additionally, the FBI did not issue any arrest warrants against the cybercriminals, as they always do when shutting down illegal sites.
Hacked databases released on both public and underground channels
The attackers published a total of 23,618 hacked databases for download on the MEGA file-hosting website.
The hacked databases contained about 13 billion user records occupying around 50GB of disk space. The MEGA download link was reported for abuse and removed within a few hours. However, many people had successfully downloaded the data and began sharing it within a short time.
The leaked databases then started circulating on Telegram and Discord channels owned by prominent data brokers. A third of the hacked databases later surfaced on a popular hacker forum.
Nature of data exposed by the Cit0Day breach
Some of the released data originated from sites hacked many years ago. A large portion of the data was from small unknown sites with user bases ranging from a few thousand to tens of thousands. The hacked databases also contained records leaked from major sites.
Data included hashed and clear text passwords, with the latter listed as “dehashed.” Many small sites rarely use strong hashing algorithms making such data vulnerable for decryption. Other records lacked passwords and were categorized as “nohash.”
Risk posed by Cit0Day data breach
Although the old data may not be useful in compromising users’ accounts, cybercriminals could use it to execute phishing campaigns, credential stuffing, and password spraying attacks against the affected users.
For users who recycle passwords across online sites, breaching a small website could compromise their accounts on other high-profile sites. Additionally, smaller websites do not disclose such breaches, thus extending the shelf life of the stolen credentials.
Mitigating the threat of online data breaches
Users should practice proper password hygiene to avoid becoming easy targets for cybercriminal many years after their data was leaked. They should also implement advanced security measures such as multi-factor authentication and the use of password managers to protect their online accounts.
Boris Cipot, a Senior Security Engineer at Synopsys Software Integrity Group, says that the release of stolen data triggers a race to exploit the affected users. He encourages the victims to change their passwords and track services on which they reused the leaked password.
“In many cases, they will also need to call their banks and cancel their credit cards or similar services if such relevant data may have also been breached. In short, it is a complete nightmare.”
He advises users to use two-factor authentication (2FA) and use a trusted password management service. They should also avoid clicking suspicious links or downloading strange email attachments.
“Attackers will no doubt use the exposed data as part of phishing campaigns. Finally, stay vigilant of any suspicious activity on your credit cards as well as of any other attempts at identity theft,” Cipot added. “There is no saying who has access to your data, nor how they plan to use it; the best thing to do is take all the necessary precautions and stay vigilant.”
Ilia Kolochenko, the Founder & CEO of ImmuniWeb, describes the breach as a major incident that would lead to more “disastrous data breaches.”
“This leak will inevitably have a major and negative effect on all large organizations around the globe, as it likely contains some valid credentials from some of their production systems.”
He advises security leaders to have a “holistic visibility over their data storage and processing.” They should also have a “properly implemented third party risk management program and a continuous enforcement of security controls by all third parties with privileged access to their systems or data.”