More than 23,000 hacked databases covering billions of credentials have been leaked from a now-defunct breach index site and are being offered for download on hacking forums and Telegram.

The data came from Cit0Day, a website that was offering the databases for sale to hackers for a monthly fee. Cit0Day ceased operations in September. An archived snapshot of its website showed a notice that it had been seized by the U.S. Federal Bureau of Investigation pursuant to a warrant issued in California.

The hacked database may have been leaked by one of the operators of the site following its closure. The data from Cit0Day is said to total 50 gigabytes and 13 billion records from 23,618 databases. The majority of the databases are from companies known to have had credentials stolen previously, but cumulatively the data is arguably the biggest leak of its kind to date.

According to TechNadu, spammers and credential-stuffing hackers have already started using the databases and the email addresses in cybercrime campaigns and it’s likely that a more sophisticated and specific-targeting cybercrime wave using the data will rise in the future.

“The archive’s most dangerous parts are those concerning smaller sites that never bothered to disclose any security incidents or never realized them,” TechNadu noted. “These sites aren’t using strong hashing algorithms and salting for the user passwords, so the credentials are in plain-text form.”

Although only recently coming to the attention of the media, the data trove appears to have been available on various forums since Cit0day closed down in September. The existence of the leaked data was first mentioned on Raid Forums Sept. 14.

Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE that the major incident that will serve as rocket fuel to password reuse attacks and disastrous data breaches.

“Most organizations cannot centralize their identity management and authentication efforts given that a considerable amount of their data is processed or stored by third parties, let alone legacy or shadow systems,” he explained. “Cybercriminals are well aware of this and, prior to launching a lengthy and expensive frontal attack, will silently try to reuse previously stolen credentials of employees, suppliers and trusted third parties.”

Kolochenko said the leak will inevitably have a major impact on nearly all large organizations around the globe since it likely contains valid credentials from some of their production systems. “Security leaders should urgently ensure they have holistic visibility over their data storage and processing, a properly implemented third-party risk management program and a continuous enforcement of security controls by all third parties with privileged access to their systems or data,” he said.

Image: Cit0day/Wayback Machine