Cit0day Breach

In November 2020, a 120 GB archive nick-named Cit0day—containing credential dumps from more than 23,000 hacked websites—was posted on several Russian-language hacking forums and mirrored on RaidForums within hours. The cache, split into 23,618 compressed files, was described as a full backup of Cit0day.in, a now-defunct credential-selling portal that had reportedly been seized by U.S. law-enforcement two months earlier. Researchers who grabbed the torrent discovered roughly 195 million unique email-and-password pairs amassed over a decade.

Security analysts noted the trove blended well-known breaches with hundreds of previously unreported compromises; in many cases the files still held clear-text passwords or unsalted MD5 and SHA-1 hashes. Preliminary reviews by Authlogics and Have I Been Pwned confirmed a high hit-rate when testing random samples, indicating the data was largely authentic even though each individual breach remains formally “unverified.”

Cit0day’s operators had run a subscription model—customers paid about US $1.50 per day for on-demand credential look-ups—so the public leak effectively made a commercial underground service free, dramatically lowering the barrier for credential-stuffing and account-takeover attacks. Threat-intel firm Flare reported that 57 percent of the leaked logins used popular free-mail domains such as Gmail, Hotmail and Yahoo, making them attractive targets for phishing and business-email compromise.