Cit0day, a private platform that aggregates leaked databases to sell cybercriminals’ access, has its data leaked last month. This was termed to be the biggest leak of its kind since it had over 23,618 databases of both small and big portals, containing over 13 billion user records. It contains both old and new databases, and Cit0day sells some with plain text passwords.
23,600 Databases Containing 13 Billion User Records
Cit0day, a database indexing site like the WeLeakInfo and LeakedSource, has been making rounds in several hacker forums since last month. It groups up all the hacked databases from various breaches and hosts them to serve in a subscription-based model for cybercriminals. The offering databases contain usernames, email addresses, and even plaintext passwords.
As reported by ZDNet, somehow, the databases of Cit0day were leaked in a Russian hacker forum last month. It’s reported to host a link to over 23,618 databases containing 13 billion user records in a MEGA portal. This was soon taken down (live for a few hours) and had given the users enough time to download and share later.
The data dump was reported to be 50GB and shared several times in other hacker forums later. It has also made its way to the surface internet, with data brokers sharing it in Telegram and Discord channels. It got interesting when users started seeing a seizure notice on the FBI and CISA, hinting everyone that the site’s operator, Xrenovi4, could’ve been caught.
But this was unlikely since an FBI spokesperson had declined to comment. There are no official reports of anyone relating to the arrest, causing it to shut down eventually. Yet, the leaked database was not being shared online explicitly. The data’s authenticity was even verified by forum members, thus gaining more popularity.
While some of them are relating to big portals, most of them are from small ones. Yet, they’re relatively important, as they come free to use.
Cit0day has marked some of them as dehashed, meaning the passwords are cracked and provided in plain text, making it easier for the hackers to exploit. It’s reported that many who obtained the dataset are now planning credential stuffing, spam campaigns, etc. attacks.