[BreachExchange] 23, 600 hacked databases have leaked from a defunct 'data breach index' site

[Destry Winant]

https://www.zdnet.com/article/23600-hacked-databases-have-leaked-from-a-defunct-data-breach-index-site/

More than 23,000 hacked databases have been made available for
download on several hacking forums and Telegram channels in what
threat intel analysts are calling the biggest leak of its kind.

The database collection is said to have originated from Cit0Day.in, a
private service advertised on hacking forums to other cybercriminals.

Cit0day operated by collecting hacked databases and then providing
access to usernames, emails, addresses, and even cleartext passwords
to other hackers for a daily or monthly fee.

Cybercriminals would then use the site to identify possible passwords
for targeted users and then attempt to breach their accounts at other,
more high-profile sites.

The idea behind the site isn't unique, and Cit0Day could be considered
a reincarnation of similar "data breach index" services such as
LeakedSource and WeLeakInfo, both taken down by authorities in 2018
and 2020, respectively.

In fact, Cit0Day launched in January 2018, as LeakedSource was taken
down, and was heavily advertised on both underground hacking forums
but also on major forums on the public internet, like BitcoinTalk,
according to data provided by threat intelligence service KELA, which
first alerted ZDNet about the site earlier this year.

However, the Cit0day website went down on September 14, when the
site's main domain sported an FBI and DOJ seizure notice.

Image: ZDNet

Rumors started circulating on hacking forums that the site's creator,
an individual known as Xrenovi4, might have been arrested, similar to
what happened to the authors of LeakedSource and WeLeakInfo.

But all signs pointed to the fact that the FBI takedown notice was fake.

KELA Product Manager Raveed Laeb told ZDNet that the seizure banner
was actually copied from the Deer.io takedown, a Shopify like platform
for hackers, and then edited to fit the Cit0day portal.

An FBI spokesperson for the FBI declined to comment and refused to
confirm any investigation, citing internal policies present in all law
enforcement agencies.

In addition, no arrest was ever announced in connection to Cit0day,
which is contrary to how the FBI and DOJ operate — with both agencies
usually taking down criminal sites only when they can also charge
their creators.

Cit0day hacked database now shared online

But if users hoped that Cit0day and Xrenovi4 would shut down and then
walk into the sunset, this is not what happened.

While it's unclear if Xrenovi4 leaked the data themselves or if the
data was hacked by a rival gang, Cit0day's entire collection of hacked
databases was provided as a free download on a well-known forum for
Russian-speaking hackers last month.

Image: ZDNet

In total, 23,618 hacked databases were provided for download via the
MEGA file-hosting portal. The link was live only for a few hours
before being taken down following an abuse report.

ZDNet was not able to download the entire dataset, estimated at around
50GB and 13 billion user records, but forum users who did confirmed
the data's authenticity. Additional confirmation was provided to ZDNet
earlier today by Italian security firm D3Lab.

But even if the data was available for a few hours, this short time
window allowed the data to enter the public domain.

Since October, the Cit0day data has now been shared in private and via
Telegram and Discord channels operated by known underground data
brokers.

In addition, a third of the Cit0day database also made a comeback on
Sunday when it was shared online again, this time on an even more
popular hacker forum.

Image: ZDNet

CIT0DAY DATA INCLUDED BOTH OLD AND NEW DATA DUMPS

Most of the hacked databases included in the Cit0day dump are old and
come from sites that have been hacked years ago.

Furthermore, many of the hacked databases are from small, no-name
sites with small userbases in the range of thousands or tens of
thousands of users.

Not all the 23,000 leaked databases belong to big internet portals,
but famous hacked databases from big name sites are also included,
having been collected together with the small ones.

Many of these small sites also didn't use top-notch security measures,
and around a third of the leaked Cit0day databases were listed as
"dehashed" — a term used to describe hacked databases where Cit0day
provided passwords in cleartext.

However, many databases didn't even contain a password, having a
designation of "nohash."

Image: ZDNet

Currently, this data is now being used by other cybercrime gangs to
orchestrate spam campaigns and credential stuffing and password
spraying attacks against users who might have reused passwords across
online accounts.

Even if some of these databases are from old hacks, mega leaks like
these are incredibly damaging to the security posture of most internet
users.

In effect, this mega leak is a collective memory of thousands of past
hacks, one that many users may want forgotten and not collected like
baseball cards inside services like WeLeakInfo, LeakedSource, or
Cit0day.

Services like Cit0day prolong the shelf life of past mistakes in
selecting passwords for online accounts.

Users should use the example of mega leaks like the Cit0day dump to
review the passwords they use for their online accounts, change old
ones, and start using unique passwords for each account. Using
password managers to help you with the passwords for all your online
accounts is also highly recommended.