This page is a sub page of the case file for case DIVD-2025-00019 - Victim Notification Operation Endgame, which contains the general information about this case.
Email credentials of your organisation were found in a botnet in Operation Endgame
If you received a notification from us with the subject Stolen email credentials found for your organisation in Police operation - DIVD-2024-00019 it means that one or more credentials for email access for a domain associated with your organisation have been found in a Botnet by the Dutch police.
What does this mean?
What we know for sure is that combinations of email addresses and passwords that are associated with a domain belonging to your organisation were used by criminals operating a botnet between December 2023 and May 30th 2024. They likely used these credentials or the associated email account to interact with their victims, or spread malware or phishing campaigns.. We do not know how they obtained these credentials. It could be that these credentials were obtained in a phishing attack or stolen from the users’ system with malware, but it can also be that these criminals bought a database with credentials from a malicious, third party.
Be aware that we have also emailed these users individually, but that these emails may have been intercepted by the criminals.
What should you do?
- Determine the severity of this situation based on the number or credentials we emailed you about.
- Investigate the accounts of these users for suspicious activities like large volumes of sent messages, or unusual log in times, or unusual mail rules.
- Consider scanning the devices of these users with malware detection tools.
- Dual factor authentication can stop an attacker that uses a compromised username and password combination from abusing the account implement two-step verification in as many places as possible.
- Consider reporting this event to the appropriate authorities, e.g. law enforcement, privacy and other regulators.
More questions?
The main case file contains a Frequently Asked Questions (FAQ) section. If that does not answer your questions, please reply to the email you received or email us at DIVD-2024-00019@csirt.divd.nl.
For more information, see the main case file.