This page is a sub page of the case file for case DIVD-2025-00019 - Victim Notification Operation Endgame, which contains the general information about this case.
Credentials of undetermined origin associated with your organisation were found in a botnet in Operation Endgame
If you received a notification from us with the subject Stolen credentials found for your organization in Police operation - DIVD-2024-00019 it means that one or more credentials for email addresses of which the domain is linked to your organisation have been found in a Botnet by the Dutch police.
What does this mean?
What we know for sure is that combinations of username and passwords that are associated with a domain belonging to your organisation were used by criminals operating a botnet between December 2023 and May 30th 2024. We do not know what account/service these accounts belong to or how the criminals obtained them. It could be that these credentials were obtained in a phishing attack, or stolen from the users’ system with malware, but it can also be that these criminals bought a database with credentials from a malicious, third party.
Be aware that we have also emailed these individual users, but that these emails may have been intercepted by the criminals.
What should we do?
- Determine the severity of this situation based on the number or credentials we emailed you about
- Investigate the accounts of these users for suspicious activities like large volumes of sent messages or unusual log in times or unusual mail rules
- Consider scanning the devices of these users with malware detection tools.
- Dual factor authentication can stop an attacker that has a valid username and password combination from abusing the account implement two-step verification in as many places as possible.
- Consider reporting this event to the appropriate authorities, e.g. law enforcement, privacy and other regulators.
More questions?
The main case file contains a Frequently Asked Questions (FAQ) section. If that does not answer your questions, please reply to the email you received or email us at DIVD-2024-00019@csirt.divd.nl.
For more information, see the main case file.