Homepage

Articles

Citybee data leak summarized

Citybee data leak summarized

There have been several data leaks in Lithuania or by Lithuanian companies in recent history, like the leak of a plastic surgery clinic "Grožio Chirurgija" in 2017 in which personal data like names, addresses, and even pictures were held for ransom or the 14 million user data loss by Hostinger in 2019 and the years-old Orakulas data leak, which has come to light only a couple of days after Citybee) and even when finishing up this article another older dataset was posted on an online dating website, so how did Citybee's leak cause such an outrage and unfortunate chain of events?

#NewsFeb 20th 2021by Dom
Citybee leak

The leak

On February 15th the database of Citybee's 100k+ users' data has been posted on RaidForums, a popular forum for such content, to download for free. The set contained customer data such as Email Addresses, Passwords, First Names, Last Names, Addresses, Phone Numbers, Government ID & Driver's license numbers. Moreover, other non-user related data is also being sold, the dataset can be seen below:

city bee dump

The data leaked is from 2018 and is said to not contain any newer entries. The author of the original post stated that no brute-forcing or other methods were used to acquire the data, simply by using DNS lookup he managed to find their storage server which was publicly accessible, and most likely has been for the past three years.

Citybee's leak is one of the largest scale leaks in Lithuanian history, however, there are more reasons as to why it caused public outrage.

Weak encryption

Although the publicly available database copy is unfortunate and can be viewed as an accident or human error and perhaps be forgiven, the way Citybee encrypted its users' data cannot. Passwords in the database were hashed with SHA-1 and without salt, and although hashed password can't really be reversed, by using hash-cracking tools which apply dictionaries, attempt to look for patterns or words, and utilize various other algorithms, it has been proven to be quite easy. SHA-1 has been replaced by SHA-2 in 2002, and although many have said that this hashing method was no longer sufficient, to this day it is still one of the most popular worldwide.

When around 8 million LinkedIn's user password hashes were leaked in 2012 which also used SHA-1 encryption, it was calculated that it would take a week to crack most of them with a regular desktop PC. Even then it was already considered unsafe to use SHA-1 for storing passwords, with or without salt.

Communication & actions taken

Citybee

Another blow to Citybee has been struck by themselves after the information of leaked data appeared, Citybee officially stated that only Names, Surnames, and Government ID numbers were leaked, emphasizing that the password are stored securely and were out of reach - which of course has been proven false fairly quickly. Citybee has been caught red-handed a couple more times, which only increased the public's distrust of the organization, which once seemed like a role model for other Lithuanian companies.

Citybee's leak started an unfortunate chain of events, as more Lithuanian leaks from the past are showing up daily and gaining attention, one of which had even a larger, 400k user, dataset and in which passwords were stored in plain-text.

Takeaways

Data leaks are common in this age of technology and should be considered by users, especially after a couple of more Lithuanian leaks have resurfaced. Although the leak of "Citybee" client data is unfortunate, the only real threat is the takeover and abuse of any other user's accounts registered under the same email & password combination, the rest of the leaked data on itself is of no real use to any and could be gathered or generated in various other ways.

Not to say that companies should not be held accountable for such mistakes and higher standards when handling user data in Lithuania, Baltics, and around the globe - however, most of the time this topic is beyond the reach of us, laws & regulations. Thus at the end of the day, it's important for us at Baltic Makers and you to be proactive regarding this topic and avoid any collateral damage by:

  • Using strong passwords which contain special characters, numbers, and upper/lowercase letters
  • Using 2FA or other additional authentication methods when possible
  • Not using the same password for multiple sites. Use a password manager if needed
  • If your data has been breached, change your password & be more cautious when performing any tasks online.

Related Articles

Payment Providers Lithuania

Payment Providers in Lithuania

During the covid crisis more and more brick and mortar businesses are switching to selling their products online. Setting an eCommerce store is easy nowadays with the likes of Shopify. The harder p..

#Research2021-01-07by Dom
e-commerce where to start

E-commerce Challenge Part 1: Where to start?

We at Baltic Makers are always looking for fun challenges. Not a secret that during Covid, e-commerce is booming. Amazon, Shopify, and other e-commerce giants have their shares at all times high an..

#E-commerce Challenge2021-02-07by Germa
Baltic Makers

E-commerce Challenge Part 2: What to Sell?

Second article in our "e-commerce challenge" series where we dive deeper in analyzing trending products and niches. Find out what products are trending in global and local markets. We wil..

#E-commerce Challenge2021-02-21by Dom
Get an overview of the Baltic tech scene straight to your inbox