Databases are said to come from Cit0Day.in, a private service advertised in hacking forums.
The idea behind this site is not new. Cit0Day looks like older services like LeakedSource and WeLeakInfo, which were abolished in 2018 and 2020, respectively.
Cit0Day started operating in January 2018, when LeakedSource closed, and was heavily advertised in hacking forums.
However, the Cit0day site was shut down a while ago because it is said that FBI and the DOJ issued a decision to seize the main domain.
Immediately, various rumors began to circulate. Some of them reported that the creator of the site, a person known as Xrenovi4, may have been arrested. But all indications are that the FBI removal notice was fake.
She's the executive KELA (Raveed Laeb) told ZDNet that the seizure banner was the same as that of Deer.io, a platform for hackers, Shopify type. It was essentially a copy and edit to fit the Cit0day site.
The FBI declined to comment.
In addition, no Cit0day-related arrest has ever been announced, which contradicts the way the FBI and DOJ operate. Both services "download" criminally sites, only when they can accuse and arrest their creators.
Violated databases are available for download online
It is not clear whether Xrenovi4 itself leaked the databases or whether data violated by an opposing gang. Anyway, Cit0day's entire collection of compromised databases was found in a well-known Russian-language hacking forum. Any criminal could download the collection for free.
In total, 23.618 compromised databases were provided for download through file-hosting portal MEGA. The link existed for only a few hours.
It is estimated that databases (50 GB in size) contain at least 13 billion user files. This has been confirmed by both users of the forums and the Italian company security D3Lab.
But even though the data was only available for a few hours, a problem arose. From October, Cit0day databases are located on Telegram and Discord channels, operated by well-known underground data brokers.
On Sunday, data was released on another hacking forum, even more popular.
The collection includes both new and old compromised databases
In addition, many of them come from small and not so well known sites. However, data from known violations are also included. In most cases, the small ones sites they did not use security measures (not even passwords).
Now, this data is most likely used by criminal groups to carry out spam, credential stuffing and password spraying attacks against users who use the same passwords on different sites and platforms.
Although a lot of data comes from old breaches, it is a big leak that definitely affects many users.
Services like Cit0day bring old violations back to the surface.