This page is a sub page of the case file for case DIVD-2025-00019 - Victim Notification Operation Endgame, which contains the general information about this case.
Your ADFS credentials were found in a Botnet in Operation Endgame
If you received a notification from us with the subject Your stolen ADFS account credentials found in Police operation - DIVD-2024-00019 it means that the username and password for the server that was included in the email have been found in a Botnet by the Dutch police. The passwords were discovered in May 2024.
What does this mean?
What we know for sure is that the combination of your username and passwords in combination with the ADFS server listed in the email were used by criminals operating a botnet as recently as May 2024. We do not know how they obtained your username and password. It could be that these credentials were obtained in a phishing attack, or stolen from your system with malware, but it can also be that these criminals bought a database with credentials from a malicious, third party.
What should I do?
We need your help to make sure criminals can no longer abuse the information they have about you.
Here are a few steps you can take:
- First of all, if you recognize the password, change it immediately to prevent future abuse.
- If you find out that you are unable to change you password because you are locked out of you account, contact your administrator and ask them to change the password for you, to make sure the criminals cannot further abuse your account
- If you have used this email username/password combination anywhere else, make sure you change it there as well. Criminals often try the same username/password combinations on many different services and account
- Never use this combination of username and password anywhere else again. It is in databases traded amongst criminals and thus easily guessable/crackable.
- Scan your devices/ask for your devices to be scanned with an antivirus/malware prevention tool. Your password was stolen, possible from your own device using malware.
- Dual factor authentication can stop an attacker that knows your password from abusing your account. Make sure two-step verification is on for your account. (This is also a great idea for your personal accounts
- You are recommended to reach out to administrators of the ADFS server and inform them of the email you received.
Mind you, what we emailed you is a masked password. All characters in the password were replaced by an asterisk (*) except the four last characters. So e.g. the password VeryWeakPassword01! would have been transformed to ***************d01!.
More questions?
The main case file contains a Frequently Asked Questions (FAQ) section. If that does not answer your questions, please reply to the email you received or email us at DIVD-2024-00019@csirt.divd.nl.
For more information, see the main case file.