A collection of more than 23,000 hacked databases has temporarily appeared on a forum. The collection came from the hacker website Cit0day, which recently went offline.

Cit0day was a website where cybercriminals could buy access to the hacked databases and then abuse the stolen personal data. This data consisted of e-mail addresses, usernames, residential addresses and passwords. A substantial part of those passwords was not hashed.

Seizure

The website was founded in January 2018 and was strongly advertised on hacking forums. However, on September 14 of this year, the website started displaying a report that the website had been seized by the FBI and the U.S. Department of Justice.

This led to rumours that the founder of the website, who uses the pseudonym Xrenovi4, had been arrested. The same had happened to the founders of LeakedSource and WeLeakInfo, two similar websites.

However, other rumours indicate that the website did not fall into the hands of the American authorities, but was taken over by other hackers. According to KELA product manager and security expert Raveed Laeb, the FBI notification on Cit0day was copied from another seized website.

Also, the FBI and DoJ did not report an arrest, whereas they normally only take down a website when they can sue its creators. When ZDNet asked the FBI for comment, the authority refused to share information about investigations, because of internal policies.

Databases on a forum

A few weeks later a message appeared on a Russian hacker forum, linking to a file that had been uploaded to MEGA. The file contained all 23,618 hacked databases for free.

According to forum users, the file was about 50GB in size and contained about 13 billion user records. The Italian security company D3Lab also confirmed the legitimacy of the leak to ZDNet.

A few hours later, the message had been deleted, but not before several users downloaded it and went on to distribute it via Telegram and Discord channels operated by data brokers. Also, 8949 of the leaked databases were recently shared again on another hacker forum.

Leaked data

Most of the leaked data originate from small, unknown websites that were hacked many years ago. In most cases, the passwords were hashed, but about a third of those were cracked. There was also a large number of databases whose passwords were not encrypted at all.

The people who buy the stolen data use them mainly for setting up spam campaigns. They also try out the leaked passwords on other websites, hoping that users have used the same password on multiple websites.