Cyber Incident Victim: Cit0Day.in
Date:
Sep 2020
Location:
United States of America
Summary
A defunct cybercrime service that aggregated hacked databases for paid access by malicious actors experienced a massive leak of its entire collection, comprising 23,618 databases with billions of user records including emails, usernames, addresses, and cleartext passwords. The data, originating from both obscure and prominent past breaches, was disseminated across multiple hacking forums and private channels via file-sharing platforms and messaging apps after the service's shutdown. Despite initial speculation about law enforcement involvement due to a fabricated seizure notice, the leak's distribution enabled widespread exploitation by threat actors for credential stuffing, password spraying, and spam campaigns, amplifying risks from recycled credentials across online accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Cit0Day.in, a private service operating since January 2018, functioned as a centralized repository for hacked databases containing usernames, emails, addresses, and cleartext passwords. Advertised on underground hacking forums and public platforms like BitcoinTalk, the service provided cybercriminals with paid access to this data for credential stuffing and account takeover attempts, positioning itself as a successor to earlier breached data marketplaces like LeakedSource and WeLeakInfo. The service abruptly ceased operations on September 14, 2020, when its domain displayed a seizure notice purportedly from the FBI and Department of Justice. Threat intelligence analysts later confirmed this notice was forged, copied from a previous takedown of the Deer.io cybercrime platform and modified for Cit0Day. Despite rumors circulating on hacking forums about the potential arrest of the operator known as "Xrenovi4," no law enforcement agency confirmed involvement or arrests, contradicting standard operational procedures for such takedowns.
Following the site's shutdown, Cit0Day's entire collection of 23,618 hacked databases—estimated at 50GB containing approximately 13 billion user records—was leaked on Russian-language hacking forums in October 2020 via MEGA file-sharing links. Although the initial download link was removed within hours due to abuse reports, the data rapidly proliferated through Telegram channels, Discord servers, and other hacker forums, with a third of the dataset resurfacing on a prominent forum shortly thereafter. Analysis by security firms confirmed the leak's authenticity, revealing that while many databases originated from smaller, historically compromised sites with limited user bases, the collection also included breaches from larger platforms. Approximately one-third of the databases contained cleartext passwords ("dehashed"), while others lacked password data entirely ("nohash"). Cybercriminal groups promptly weaponized the exposed credentials for spam campaigns, credential stuffing, and password spraying attacks, exploiting password reuse across accounts. The incident amplified risks associated with historical breaches by consolidating disparate datasets into a single, widely distributed repository, effectively extending the operational lifespan of compromised credentials despite their age.