Dark Web Site Cit0day Leaks More than 23,000 Hacked Databases After Feds Shut it Down

ZDNet reported yesterday that 23,000+ hacked databases were leaked on several dark web forums and Telegram channels. Threat assessors are shocked at the magnitude of this exposure, especially since Cit0Day was shut down recently. 

Cit0Day

Cit0Day.in was a dark web service that offered breached database credentials (name, email, usernames, addresses, and cleartext passwords) to hackers and cybercriminals through ads posted on dark web forums. The site was first launched in January 2018 and quickly became a major go-to source for leaked data. 

It’s not clear whether or not the owner of Cit0Day (rumored to be someone known as Xrenovi4) actually stole the data or simply compiled it from data breaches and other hackers’ spoils. Regardless, the collection is accredited to Cit0Day, and that was where it was first identified. The site was used by various hacker groups for credential stuffing to compare known username/password combinations with other websites since many people reuse their usernames and passwords on multiple websites (a big cybersecurity no-no).

Cit0Day is similar to other services such as WeLeakInfo and LeakedSource, both of which were shut down by the FBI in 2020 and 2018, respectively. 

On September 14, it appeared that the FBI and DOJ seized the website, took it down, and posted a seizure notice in its place. Rumors flew that the owner had been arrested and was in custody. However, new information suggests that the notice was faked, and the entire thing was a hoax. The FBI has failed to confirm either way.

The Exposure

Without knowing if the owner actually was arrested or law enforcement had any hand in the site being defaced, it is unclear who leaked the data. It could have been Xrenovi4 or some other gang who hacked his or her website and stole the databases. Either way, the entire contents were available as a free download on a Russian hacker forum using the MEGA file-hosting portal. It was only available for a short time before the service took it down following a complaint.

ZDNet estimates that the file would be around 50GB and should include about 13 billion user credentials. Some users did contact the online publication with confirmation about the contents, and the Italian security firm D3Lab also confirmed the records.

The data was available online for hours, giving cybercriminals plenty of time to access, copy, and use the information. Those people contained in the data are ripe for identity theft, fraud, and other data breaches.

Alarmingly, a portion of the Cit0Day database returned on Sunday on another hacker forum. This time experts got a good look at the contents and confirmed that much of the data was old and came from data breaches that took place years ago. However, some of the data is new from the fresh hacks of some smaller websites with poor security. 

What Users Can do to Stay Safe

Security experts warn users exposed in this data leak that they are now at extreme risk of phishing attempts and credential stuffing as new hackers are busy putting the data to good use. They suggest the following tips to ensure your online safety.

• Review all your online accounts and change passwords immediately.
• Never reuse passwords on multiple websites.
• Be on the lookout for suspicious emails, especially phishing emails.
• Never click links inside an email.
• Keep all your devices updated with the latest security patches.
• Install good antivirus-anti-malware software and run deep scans often on all your devices.
• Never share your logins with anyone, even friends and family.
• Review all your financial accounts and credit reports frequently, checking for unauthorized activity.
• Always use good, strong, complex passwords.
• Sign up for two-factor authentication.
• Turn on multi-factor authentication (TouchID and FaceID) and encryption on your mobile devices.

As always, use common sense and do everything you can to protect your identity and all your online accounts.