The leak

On February 15th the database of Citybee's 100k+ users' data has been posted on RaidForums, a popular forum for such content, to download for free. The set contained customer data such as Email Addresses, Passwords, First Names, Last Names, Addresses, Phone Numbers, Government ID & Driver's license numbers. Moreover, other non-user related data is also being sold, the dataset can be seen below:

The data leaked is from 2018 and is said to not contain any newer entries. The author of the original post stated that no brute-forcing or other methods were used to acquire the data, simply by using DNS lookup he managed to find their storage server which was publicly accessible, and most likely has been for the past three years.

Citybee's leak is one of the largest scale leaks in Lithuanian history, however, there are more reasons as to why it caused public outrage.

Weak encryption

Although the publicly available database copy is unfortunate and can be viewed as an accident or human error and perhaps be forgiven, the way Citybee encrypted its users' data cannot. Passwords in the database were hashed with SHA-1 and without salt, and although hashed password can't really be reversed, by using hash-cracking tools which apply dictionaries, attempt to look for patterns or words, and utilize various other algorithms, it has been proven to be quite easy. SHA-1 has been replaced by SHA-2 in 2002, and although many have said that this hashing method was no longer sufficient, to this day it is still one of the most popular worldwide.

When around 8 million LinkedIn's user password hashes were leaked in 2012 which also used SHA-1 encryption, it was calculated that it would take a week to crack most of them with a regular desktop PC. Even then it was already considered unsafe to use SHA-1 for storing passwords, with or without salt.

Communication & actions taken

Another blow to Citybee has been struck by themselves after the information of leaked data appeared, Citybee officially stated that only Names, Surnames, and Government ID numbers were leaked, emphasizing that the password are stored securely and were out of reach - which of course has been proven false fairly quickly. Citybee has been caught red-handed a couple more times, which only increased the public's distrust of the organization, which once seemed like a role model for other Lithuanian companies.

Citybee's leak started an unfortunate chain of events, as more Lithuanian leaks from the past are showing up daily and gaining attention, one of which had even a larger, 400k user, dataset and in which passwords were stored in plain-text.

Takeaways

Data leaks are common in this age of technology and should be considered by users, especially after a couple of more Lithuanian leaks have resurfaced. Although the leak of "Citybee" client data is unfortunate, the only real threat is the takeover and abuse of any other user's accounts registered under the same email & password combination, the rest of the leaked data on itself is of no real use to any and could be gathered or generated in various other ways.

Not to say that companies should not be held accountable for such mistakes and higher standards when handling user data in Lithuania, Baltics, and around the globe - however, most of the time this topic is beyond the reach of us, laws & regulations. Thus at the end of the day, it's important for us at Baltic Makers and you to be proactive regarding this topic and avoid any collateral damage by:

• Using strong passwords which contain special characters, numbers, and upper/lowercase letters
• Using 2FA or other additional authentication methods when possible
• Not using the same password for multiple sites. Use a password manager if needed
• If your data has been breached, change your password & be more cautious when performing any tasks online.