Citybee hacked, database leaked.

Categories Security

Since I’m personally affected by the Citybee “hack” (it’s actually not even a hack, read on to find out why), I decided to put some info together in this post to make sense of it. I will try to update it as soon as I get more info myself. The information is not authoritative, but I will do my best to at least add arguments and source of information.

Situation

Evening 2021.02.15, Facebook groups started alerting about the leaked Citybee database (a database dump was publicly available). Exposing user information, like: name, surname, email addresses, passwords, government id number. Potentially credit / debit card information was also reportedly exposed. The following is the screenshot of database tables that were obtained by the hackers:

May be an image of text

 

Evening 2021.02.15 the guy behind this incident – the hacker – posted that there was no need for any hacks as the data was not password or otherwise protected. It was a database backup stored in Azure cloud.

Links:

Are you affected

People that have used the mobile car sharing app before 2018.02.27 are probably affected. You can test whether you are affected yourself:

Dangers

The main danger points are:

  • Leaked Citybee password might be used on other websites of to access the email inbox itself.
  • Leaked identity information can be used for impersonation / fraud in your name (this requires expansion).
  • Leaked Credit / Debit Card info might be used depending on what data is exposed, however it’s unclear the extent of the data saved.

Immediate actions

  • If you use the web application of citybee (www.citybee.lt) you need to change your password.
  • You should change your password in www.citybee.lt AND in all the websites where you have used the same password.
  • Join this group for a discussion on further actions: https://www.facebook.com/groups/helpcitybee
  • Change the status of credit availability in Creditinfo Lietuva or Bank of Lithuania

About Citybee

Regarding credit card and driver license data

I have contacted the person behind this exposure (hard to call it a hack if he is to be believed) and this is the CC and Driver information that was exposed (note that there is an assumption that we can trust this person, obviously the best way would be for someone to actually buy the data and analyze it):

 

So CC data is not of any concern. The drivers licenses are more of a concern. If you the license you used is still valid it might be good to change it (you can do this at regitra).

Questions answered

  • Is citybee LV / EE affected – they are not.
  • Was SHA1 really used w/o salt – yes it was. Making it simpler for malevolent actors to obtain the real password by rainbow attack, brakeforce attack.
  • Credit / Debit card information was not leaked to the best of my knowledge.

Open questions

  • Unclear who created the backend that uses unsalted passwords and potentially stores Credit / Debit card information, but it seems like SQUALIO Lithuania was behind the migration to Azure. That is not proof that they left the backup there – https://customers.microsoft.com/en-IN/story/726394-citybee-logistics-azure-en

Leave a Reply