57% of Cit0Day leaked credentials linked to popular free email service providers

First reported in November 2020, the Cit0Day data breach allegedly originated from a credential selling website that offered access to usernames and passwords for thousands of websites and online services. Cit0Day’s backend database was leaked online and circulated among private channels for a number of weeks, before being shared on a more mainstream forum on the internet and the darknet.

It is currently difficult to analyze the full impact of this data breach, given its size (24GB) and number of files involved (36,000). This type of analysis requires powerful computers and sophisticated scripts to identify and make sense of the data. The information was leaked with little to no information about its structure, and an inconsistent file naming and format. As multiple files refer to a single website, a significant amount of data may be duplicated. The screenshot below shows the same email addresses, with both encrypted and unencrypted passwords.


Industry research lends credibility to Cit0Day data breach
Researcher Troy Hunt claims that up to 226 million usernames and passwords were leaked in the Cit0Day data breach. Anecdotal evidence suggests that the data breach contains many valid usernames, and possibly passwords. About a third of all email addresses were not known publicly from previous data leaks. It additionally suggests that many of the 23,000 websites whose credentials leaked in Cit0Day have yet to publicly disclose that they were involved in the data breach. A list of all the targeted websites can be found on GitHub here and here.
The Cit0Day data breach is a significant security event for Canadian companies, given the size of the data breach and the lack of transparency from impacted parties.
Free email providers still most commonly leaked email addresses
The most common domain names in the leaked email addresses were well-known free email service providers, as shown below. Taken together, they represent over half (57%) of all leaked credentials, including regional service providers from Russia (mail.ru, yandex.ru), South Korea (naver.com, hanmail.net), France (hotmail.fr) and China (163.com).

Most common sources of leaks for Canadian businesses
Top sources of leaks that affected Canadian businesses include or are related to:
- Business directories which contain information about Canadian businesses and categorize them based on location, field, size and activity;
- Hobbies and leisure: Horse breeding, adoption and horse racing companies, boating accessories and marinas, golf clubs and tournaments, hockey leagues and championships, curling and soccer clubs, music stores, art galleries and exchange, travel websites, food delivery, and museums;
- Children: free games and e-learning platforms, soccer and hockey leagues from across Canada;
- Real estate: regional offices of a major real estate company;
- Employment websites, including for nursing in Ontario and jobs in Silicon Valley;
- Public institutions from Ontario and Quebec.
No website concentrates a large portion of the registered accounts.
Cit0Day has been little discussed on the criminal underground
A search in our Firework digital risk protection solution database found a limited number of interesting posts on the Cit0Day service. Our team collected an advertisement by the administrator of Cit0Day when it was published.
We also found a number of advertisements from malicious actors sharing a link for the Cit0Day data leak. One message was of particular interest, as the malicious actor could not find a single buyer for the data leak and decided to give it for free. The post was published about a month ago, quite some time after the leak had been made available on private networks.
Finally, we found evidence that malicious actors themselves were confused regarding the best use of such a big data breach, after experiencing multiple issues when extracting intelligence.
Conclusion
Luana Pascu contributed to this article.