23,600 hacked databases have leaked from a defunct 'data breach index' site

Site archive of Cit0day.in has now leaked on two hacking forums after the service shut down in September.
Written by Catalin Cimpanu, Contributor
Image: Setyaki Irham, ZDNet

More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.

The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.

Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.

Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.

The idea behind the site isn't unique, and Cit0Day could be considered a reincarnation of similar "data breach index" services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.

In fact, Cit0Day launched in January 2018, as LeakedSource was taken down, and was heavily advertised on both underground hacking forums but also on major forums on the public internet, like BitcoinTalk, according to data provided by threat intelligence service KELA, which first alerted ZDNet about the site earlier this year.

However, the Cit0day website went down on September 14, when the site's main domain sported an FBI and DOJ seizure notice.

Image: ZDNet

Rumors started circulating on hacking forums that the site's creator, an individual known as Xrenovi4, might have been arrested, similar to what happened to the authors of LeakedSource and WeLeakInfo.

But all signs pointed to the fact that the FBI takedown notice was fake.

KELA Product Manager Raveed Laeb told ZDNet that the seizure banner was actually copied from the Deer.io takedown, a Shopify like platform for hackers, and then edited to fit the Cit0day portal.

An FBI spokesperson for the FBI declined to comment and refused to confirm any investigation, citing internal policies present in all law enforcement agencies.

In addition, no arrest was ever announced in connection to Cit0day, which is contrary to how the FBI and DOJ operate — with both agencies usually taking down criminal sites only when they can also charge their creators.

Cit0day hacked database now shared online

But if users hoped that Cit0day and Xrenovi4 would shut down and then walk into the sunset, this is not what happened.

While it's unclear if Xrenovi4 leaked the data themselves or if the data was hacked by a rival gang, Cit0day's entire collection of hacked databases was provided as a free download on a well-known forum for Russian-speaking hackers last month.

Image: ZDNet

In total, 23,618 hacked databases were provided for download via the MEGA file-hosting portal. The link was live only for a few hours before being taken down following an abuse report.

ZDNet was not able to download the entire dataset, estimated at around 50GB and 13 billion user records, but forum users who did confirmed the data's authenticity. Additional confirmation was provided to ZDNet earlier today by Italian security firm D3Lab.

But even if the data was available for a few hours, this short time window allowed the data to enter the public domain.

Since October, the Cit0day data has now been shared in private and via Telegram and Discord channels operated by known underground data brokers.

In addition, a third of the Cit0day database also made a comeback on Sunday when it was shared online again, this time on an even more popular hacker forum.

Image: ZDNet

Cit0day data included both old and new data dumps

Most of the hacked databases included in the Cit0day dump are old and come from sites that have been hacked years ago.

Furthermore, many of the hacked databases are from small, no-name sites with small userbases in the range of thousands or tens of thousands of users.

Not all the 23,000 leaked databases belong to big internet portals, but famous hacked databases from big name sites are also included, having been collected together with the small ones.

Many of these small sites also didn't use top-notch security measures, and around a third of the leaked Cit0day databases were listed as "dehashed" — a term used to describe hacked databases where Cit0day provided passwords in cleartext.

However, many databases didn't even contain a password, having a designation of "nohash."

Image: ZDNet

Currently, this data is now being used by other cybercrime gangs to orchestrate spam campaigns and credential stuffing and password spraying attacks against users who might have reused passwords across online accounts.

Even if some of these databases are from old hacks, mega leaks like these are incredibly damaging to the security posture of most internet users.

In effect, this mega leak is a collective memory of thousands of past hacks, one that many users may want forgotten and not collected like baseball cards inside services like WeLeakInfo, LeakedSource, or Cit0day.

Services like Cit0day prolong the shelf life of past mistakes in selecting passwords for online accounts.

Users should use the example of mega leaks like the Cit0day dump to review the passwords they use for their online accounts, change old ones, and start using unique passwords for each account. Using password managers to help you with the passwords for all your online accounts is also highly recommended.

Editorial standards