Since I’m personally affected by the Citybee “hack” (it’s actually not even a hack, read on to find out why), I decided to put some info together in this post to make sense of it. I will try to update it as soon as I get more info myself. The information is not authoritative, but I will do my best to at least add arguments and source of information.
Evening 2021.02.15, Facebook groups started alerting about the leaked Citybee database (a database dump was publicly available). Exposing user information, like: name, surname, email addresses, passwords, government id number. Potentially credit / debit card information was also reportedly exposed. The following is the screenshot of database tables that were obtained by the hackers:
Evening 2021.02.15 the guy behind this incident – the hacker – posted that there was no need for any hacks as the data was not password or otherwise protected. It was a database backup stored in Azure cloud.
- Official Citybee statement: https://www.facebook.com/CityBeeCarSharing/posts/3697762337004848
- Official Citebee press conference: https://www.youtube.com/watch?v=93Ib0GXblu0&t=3s
- FB group post: https://www.facebook.com/groups/webas/permalink/10159465888142018/
- FB group post: https://www.facebook.com/groups/webas/permalink/10159464687702018/
- Link to the forum thread with leaked data: https://raidforums.com/Thread-CityBee-LT-Database-Leaked-Download
Are you affected
People that have used the mobile car sharing app before 2018.02.27 are probably affected. You can test whether you are affected yourself:
The main danger points are:
- Leaked Citybee password might be used on other websites of to access the email inbox itself.
- Leaked identity information can be used for impersonation / fraud in your name (this requires expansion).
- Leaked Credit / Debit Card info might be used depending on what data is exposed, however it’s unclear the extent of the data saved.
- If you use the web application of citybee (www.citybee.lt) you need to change your password.
- You should change your password in www.citybee.lt AND in all the websites where you have used the same password.
- Join this group for a discussion on further actions: https://www.facebook.com/groups/helpcitybee
- Change the status of credit availability in Creditinfo Lietuva or Bank of Lithuania
- Citybee is a car borrowing / sharing service.
- It’s primary point of interaction with it’s customers is a mobile app.
- The first versions of the system were created by NFQ, see: https://www.nfq.lt/our-work-industry-experience/citybee
- Official statement by NFQ: https://www.linkedin.com/feed/update/urn:li:activity:6767396779899002880/
- Seems like the migration to
Regarding credit card and driver license data
I have contacted the person behind this exposure (hard to call it a hack if he is to be believed) and this is the CC and Driver information that was exposed (note that there is an assumption that we can trust this person, obviously the best way would be for someone to actually buy the data and analyze it):
So CC data is not of any concern. The drivers licenses are more of a concern. If you the license you used is still valid it might be good to change it (you can do this at regitra).
- Is citybee LV / EE affected – they are not.
- Was SHA1 really used w/o salt – yes it was. Making it simpler for malevolent actors to obtain the real password by rainbow attack, brakeforce attack.
- Credit / Debit card information was not leaked to the best of my knowledge.
- Unclear who created the backend that uses unsalted passwords and potentially stores Credit / Debit card information, but it seems like SQUALIO Lithuania was behind the migration to Azure. That is not proof that they left the backup there – https://customers.microsoft.com/en-IN/story/726394-citybee-logistics-azure-en