UPDATED 21:49 EDT / NOVEMBER 04 2020

Billions of stolen credentials from defunct breach index site leaked online

More than 23,000 hacked databases covering billions of credentials have been leaked from a now-defunct breach index site and are being offered for download on hacking forums and Telegram.

The data came from Cit0Day, a website that was offering the databases for sale to hackers for a monthly fee. Cit0Day ceased operations in September. An archived snapshot of its website showed a notice that it had been seized by the U.S. Federal Bureau of Investigation pursuant to a warrant issued in California.

The hacked database may have been leaked by one of the operators of the site following its closure. The data from Cit0Day is said to total 50 gigabytes and 13 billion records from 23,618 databases. The majority of the databases are from companies known to have had credentials stolen previously, but cumulatively the data is arguably the biggest leak of its kind to date.

According to TechNadu, spammers and credential-stuffing hackers have already started using the databases and the email addresses in cybercrime campaigns and it’s likely that a more sophisticated and specific-targeting cybercrime wave using the data will rise in the future.

“The archive’s most dangerous parts are those concerning smaller sites that never bothered to disclose any security incidents or never realized them,” TechNadu noted. “These sites aren’t using strong hashing algorithms and salting for the user passwords, so the credentials are in plain-text form.”

Although only recently coming to the attention of the media, the data trove appears to have been available on various forums since Cit0day closed down in September. The existence of the leaked data was first mentioned on Raid Forums Sept. 14.

Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE that the major incident that will serve as rocket fuel to password reuse attacks and disastrous data breaches.

“Most organizations cannot centralize their identity management and authentication efforts given that a considerable amount of their data is processed or stored by third parties, let alone legacy or shadow systems,” he explained. “Cybercriminals are well aware of this and, prior to launching a lengthy and expensive frontal attack, will silently try to reuse previously stolen credentials of employees, suppliers and trusted third parties.”

Kolochenko said the leak will inevitably have a major impact on nearly all large organizations around the globe since it likely contains valid credentials from some of their production systems. “Security leaders should urgently ensure they have holistic visibility over their data storage and processing, a properly implemented third-party risk management program and a continuous enforcement of security controls by all third parties with privileged access to their systems or data,” he said.

Image: Cit0day/Wayback Machine

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU