57% of Cit0Day leaked credentials linked to popular free email service providers


First reported in November 2020, the Cit0Day data breach allegedly originated from a credential selling website that offered access to usernames and passwords for thousands of websites and online services. Cit0Day’s backend database was leaked online and circulated among private channels for a number of weeks, before being shared on a more mainstream forum on the internet and the darknet. 

Get the Full Intelligence Report

cit0day logo

It is currently difficult to analyze the full impact of this data breach, given its size (24GB) and number of files involved (36,000). This type of analysis requires powerful computers and sophisticated scripts to identify and make sense of the data. The information was leaked with little to no information about its structure, and an inconsistent file naming and format. As multiple files refer to a single website, a significant amount of data may be duplicated. The screenshot below shows the same email addresses, with both encrypted and unencrypted passwords.

Industry research lends credibility to Cit0Day data breach

Researcher Troy Hunt claims that up to 226 million usernames and passwords were leaked in the Cit0Day data breach. Anecdotal evidence suggests that the data breach contains many valid usernames, and possibly passwords. About a third of all email addresses were not known publicly from previous data leaks. It additionally suggests that many of the 23,000 websites whose credentials leaked in Cit0Day have yet to publicly disclose that they were involved in the data breach. A list of all the targeted websites can be found on GitHub here and here

The Cit0Day data breach is a significant security event for Canadian companies, given the size of the data breach and the lack of transparency from impacted parties.

Free email providers still most commonly leaked email addresses

The most common domain names in the leaked email addresses were well-known free email service providers, as shown below. Taken together, they represent over half (57%) of all leaked credentials, including regional service providers from Russia (mail.ru, yandex.ru), South Korea (naver.com, hanmail.net), France (hotmail.fr) and China (163.com). 

Free email providers still most commonly leaked email addresses

Most common sources of leaks for Canadian businesses

Top sources of leaks that affected Canadian businesses include or are related to:

  • Business directories which contain information about Canadian businesses and categorize them based on location, field, size and activity;
  • Hobbies and leisure: Horse breeding, adoption and horse racing companies, boating accessories and marinas, golf clubs and tournaments, hockey leagues and championships, curling and soccer clubs, music stores, art galleries and exchange, travel websites, food delivery, and museums; 
  • Children: free games and e-learning platforms, soccer and hockey leagues from across Canada;
  • Real estate: regional offices of a major real estate company;
  • Employment websites, including for nursing in Ontario and jobs in Silicon Valley; 
  • Public institutions from Ontario and Quebec.

No website concentrates a large portion of the registered accounts.

Cit0Day has been little discussed on the criminal underground

A search in our Firework digital risk protection solution database found a limited number of interesting posts on the Cit0Day service. Our team collected an advertisement by the administrator of Cit0Day when it was published.

We also found a number of advertisements from malicious actors sharing a link for the Cit0Day data leak. One message was of particular interest, as the malicious actor could not find a single buyer for the data leak and decided to give it for free. The post was published about a month ago, quite some time after the leak had been made available on private networks. 

Finally, we found evidence that malicious actors themselves were confused regarding the best use of such a big data breach, after experiencing multiple issues when extracting intelligence. 


Over the past five years, data breaches have significantly increased in size, culminating in hundreds of millions of email addresses and a mix of encrypted and encrypted passwords. The silver lining is that individuals may get lost in the vastness of accounts that leak.
Malicious actors will never have the time to abuse all 226 million email addresses that have leaked in the Cit0Day breach. Many companies will suffer as a result of this breach, but the victims are likely to represent a small fraction of all impacted companies. This is even more likely since many passwords were never cracked by the Cit0Day.in team, making it harder to abuse the credentials.
To protect your company against the Cit0Day data breach, you should enable two-factor authentication whenever possible. An essential part of proper security hygiene, two-factor authentication makes it much harder to take over accounts. Additionally, you should also verify if the login credential was included in the Cit0Day data breach. This can be done in real-time, when a user logs in, or periodically, in both cases using our APIs.

Luana Pascu contributed to this article.

Get the Full Intelligence Report