This page is a sub page of the case file for case DIVD-2025-00019 - Victim Notification Operation Endgame, which contains the general information about this case.
Some credentials of your were found in a Botnet in Operation Endgame
If you received a notification from us with the subject Your personal login details found in Police operation - Please take action to avoid misuse - Ref:IcedID/2024-00019 it means that one or more email address and password combinations of unknown origin were found in the IcedID Botnet by the Dutch police.
The email contains exact details about which credentials were harvested, and from which computer.
What does this mean?
The credentials in the email were stolen by criminals operating the IcedID between at least between the dates mentioned in the email. The criminals either intended to sell these credentials to other criminals or to abuse these accounts to make more victims.
What should I do?
We need your help to make sure criminals can no longer abuse the information they have about you.
Here are a few steps you can take:
- If you recognize the password, change it immediately to prevent future abuse.
- If you’re unable to change your password because you are locked out of your account, contact your administrator and ask for a password change as soon as possible.
- Have you used this email address and password elsewhere? Change it immediately. Criminals often try the same username/password combinations on many different services and accounts.
- Never use this combination of email address and password anywhere else again. This email address and password is now noted in databases and traded amongst criminals, which makes them very easy to guess or crack.
- There might still be malware on your computer. Perform a virus scan to check if there is malware and take actions if there is.
- Enable dual or multi factor authentication (MFA). This stops an attack from criminals if they know your password. implement two-step verification in as many places as possible.
- If this email address is a business email address, you are recommended to reach out to the security department of that organization.
Mind you, what we emailed you is a masked password. All characters in the password were replaced by an asterisk (*) except the four last characters. So e.g. the password VeryWeakPassword01! would have been transformed to ***************d01!.
More questions?
The (main case file)[/DIVD-2024-00019) contains a Frequently Asked Questions (FAQ) section. If that does not answer your questions, please reply to the email you received or email us at DIVD-2024-00019@csirt.divd.nl.
For more information, see the main case file.