This page is a sub page of the case file for case DIVD-2025-00019 - Victim Notificaiton Operation Endgame, which contains the general information about this case.
ADFS credentials for your organisation were found in a botnet in Operation Endgame
If you received a notification from us with the subject Stolen ADFS account credentials found for your organization in Police operation - DIVD-2024-00019 it means that one or more credentials belonging to the ADFS server/service for your organisation have been found in a Botnet by the Dutch police. These credentials were discovered in May 2024.
What does this mean?
What we know for sure is that combinations of usernames and passwords that are associated with an ADFS server/service associated with your organisation were used by criminals operating a botnet between December 2024 and May 30th 2024. We do not know how they obtained these credentials. It could be that these credentials were obtained in a phishing attack, or stolen from the users’ system with malware, but it can also be that these criminals bought a database with credentials from a malicious, third party.
Be aware that we have also emailed these individual users, but that these emails may have been intercepted by the criminals.
What should we do?
- Determine the severity of this situation based on the number or credentials we emailed you about
- Investigate the accounts of these users for suspicious activities like unusual log in times or locations or inability to access their account
- Consider scanning the devices of these users with malware detection tools.
- Dual factor authentication can stop an attacker that has a username and password combination from abusing the account implement two-step verification in as many places as possible.
- Consider reporting this event to the appropriate authorities, e.g. law enforcement, privacy and other regulators.
More questions?
The main case file contains a Frequently Asked Questions (FAQ) section. If that does not answer your questions, please reply to the email you received or email us at DIVD-2024-00019@csirt.divd.nl.
For more information, see the main case file.