110,000+ user records from car-sharing service CityBee leaked and sold on hacker forum

The leak could put 110,000+ Lithuanian CityBee users at risk of identity theft and credential stuffing attacks.

A database that belongs to CityBee, a car sharing service that operates in the Baltic states and Poland, has appeared on a popular hacker forum.

The first part of the database was posted on February 15 and includes 110,000 CityBee user IDs, usernames, hashed passwords, full names, as well as personal codes (national identification numbers) that belong to mostly Lithuanian CityBee users.

Text

Description automatically generated

The second part, posted on February 16 by the same author, appears to contain more detailed personal information, potentially including driver license numbers and CityBee credit limits, as well as a folder named “CreditCards.”

Graphical user interface, website

Description automatically generated

While the owner of the post initially claimed that the data had been stolen from CityBee sometime in 2020, it was later confirmed that the database was exfiltrated from an unsecured Microsoft Azure blob managed by CityBee at least from February 2018.

It appears that a Rapid7 Open Data Forward DNS tool was used to search the reverse DNS lookup, which was how the threat actor found the unsecured CityBee blob. Then, a directory brute-force attack was used to enumerate directories in the blob, after which the threat actor downloaded the files.

We informed CityBee about the leak on February 15 and asked if they could confirm that the leak was genuine. CityBee CEO Kristijonas Kaikaris confirmed the authenticity of the leak and informed affected customers on the same day.

According to Kaikaris and our own tests, the unsecured Azure blob has been closed, the passwords of the affected users have been reset, and CityBee is cooperating with the police and local cybersecurity experts in investigating the crime. The Lithuanian State Data Protection Inspectorate will also investigate whether CityBee secured the data properly.

How to find out if you’ve been affected

To see if your data was exposed in this or other security breaches, use our personal data leak checker. Our leak checker tool is the largest on the market, with a library of over 15+ billion breached accounts, including those exposed in the CityBee leak.

What was leaked?

Based on the samples we saw from the first part of the database, it contains:

User IDs
Usernames
Full names
Email addresses
Passwords hashed using the weak SHA1 algorithm
Personal codes

The second part of the CityBee database appears to contain a wide variety of personal and app-related data, including:

Driver’s license numbers
Phone numbers
Street addresses
Credit card information (unclear if it’s full credit card data)
Car rental history
In-app credit limits

Example of the second database directory screenshot posted by the threat actor on the forum:

Graphical user interface, text, application

Description automatically generated with medium confidence

Who is the company behind the leak?

Founded in 2013, CityBee is a car-sharing company that operates in Lithuania, Latvia, Estonia, and Poland and owns a fleet of over 2,000 vehicles.

The company has a customer base of more than 750,000 drivers, 110,000+ of which had their information leaked on the hacker forum.

Who had access to the data?

The initial part of the database is available for anyone to access for about $2.50 in virtual currency.

The second part is available for forum users to download for $1,000 worth of Bitcoin. It appears that the second part of the database has now been sold to multiple buyers.

For this reason, we assume that anyone with enough Bitcoin to spare can access the second CityBee database.

What’s the impact of the leak?

The data found in the hacked CityBee database can be used in a variety of ways against the drivers whose data was exposed, including the following:

Spamming the victims’ emails.

Using the information from the database to mount targeted phishing attacks.
Combining stolen data with other data breaches to commit identity theft.
De-hashing weakly hashed passwords and carrying out credential stuffing attacks against the drivers’ other online accounts. For example, users got Spotify password reset requests due to suspicious activity shortly after the leak was published on the forum.

Fortunately, neither of the stolen CityBee databases contain the users’ passport or ID card document numbers, which, in addition to personal codes found in the first part of the database, would be required in order to commit identity theft against Lithuanian citizens.

However, particularly determined attackers could combine the information found in the databases with older breaches to build complete profiles of the victims for identity theft attacks.

What to do if you’ve been affected

If you have a CityBee account, immediately change your password if you have not done so already, and consider using a quality password manager to create strong, complex passwords. If you’ve been using your CityBee password for any other online services, make sure to change it there as well.

Using a unique password for each online service will prevent threat actors from reusing it for credential stuffing attacks.

Additionally, make sure to add multi-factor authentication on your more sensitive accounts. That way, even if an attacker has your username and password, they won’t be able to get into your accounts.