This page is a sub page of the case file for case DIVD-2025-00041 - Victim Notification Operation Endgame S03E01, which contains the general information about this case.
Credentials of your users were found in a botnet in Operation Endgame
You’ve checked our datasets for Operation Endgame S03E01 and found email addresses belonging to your organisation. These are your next steps:
If your domains are in a file with domain_apexes in the name, users of your service are part of the data seized as part of Operation Endgame S03E01.
If you have not already done so, send an email to divd-2025-00041@csirt.divd.nl to request additional data and analyse i
What does this mean?
What we know for sure is that combinations of email addresses and passwords that are associated with a service delivered by your organisation were compromised by criminals operating a botnet. They may have used these credentials to access your services, or to resell these accounts to others. These credentials where likely obtained by means of information stealing malware.
What should you do?
Given that these credentials have been found by law enforcement, in a recent police operation:
- Determine the severity of this situation based on the number of credentials we emailed you about.
- Investigate the accounts of these users for suspicious activities like e.g. large volumes of sent messages, unusual log in times, or unusual expenditure or other activities.
- Consider to notify your users that their accounts have been compromised, and if blocking their account is prudent.
- Dual factor authentication can stop an attacker that uses a compromised username and password combination from abusing the account implement two-step verification in as many places as possible.
- Consider reporting this event to the appropriate authorities, e.g. law enforcement, privacy and other regulators.
More questions?
The main case file contains a Frequently Asked Questions (FAQ) section. If that does not answer your questions, please reply to the email you received or email us at DIVD-2025-00041@csirt.divd.nl.
For more information, see the main case file.