Unknown people have offered over 23600 hacked databases for downloading on several underground forums and via Telegram. They reportedly came from the Cit0Day.in service used by cybercriminals, which promised access to usernames, email addresses, and even unencrypted passwords for a monthly fee.
Cit0Day started in January 2018, shortly after LeakedSource was shut down by authorities who also dealt with the stolen access data. Hackers usually use such information for targeted attacks. Cit0Day transactions were reportedly terminated by law enforcement officials. As of September 14, ait was reported on the service’s website that the domain had been seized by the FBI and the US Department of Justice.
However, threat intelligence provider KELA discovered that this report was fake and came from Deer.io, an e-commerce platform for hackers. On a Russian-language hacker forum, the company also found 23618 hacked databases to download, which were available through the Mega file hosting provider.
There, about 50GB, which is said to contain 13 billion sign-in data, was only available for a few hours. The download was ultimately removed following an abuse complaint. This data was verified by KELA and the Italian security provider D3Lab.
Data is currently being disseminated through closed Telegram and Discord channels operated by underground data dealers. About a third of the data has also been offered free of charge since Sunday on another underground forum.
Is hacking databases a threat to users?
Publishing compromised databases should not pose a serious security threat to users. Most of them come from websites that were hacked many years ago. Often, databases only need to contain a few thousand or ten thousand records and come from small and little-known websites.
Allegedly, about a third of the leaked database was marked as ‘dehashed’, so hackers were able to decrypt passwords that were only available as hash values and return them to text. However, many databases do not contain passwords.
Now we can assume that the data will be used for spam campaigns again. This data can also be used to identify a fake email as “real”. However, the real danger should only arise from users who are known to reuse passwords for multiple services and have not changed their password in years. Also, users can use services such as HaveIBeenPwned.com to check if their login information has been compromised by a hacker attack.