Cit0day Mass Data Breach

I checked haveibeenpwned today, and it lists Cit0day—a collection of ~23,000 websites that have been breached.

Cit0day (unverified): In November 2020, a collection of more than 23,000 allegedly breached websites known as Cit0day were made available for download on several hacking forums. The data consisted of 226M unique email address alongside password pairs, often represented as both password hashes and the cracked, plain text versions. Independent verification of the data established it contains many legitimate, previously undisclosed breaches. The data was provided to HIBP by

Compromised data: Email addresses, Passwords

In that notice, there is a link to a troyhunt article. Someone in the comments of that article created a gist that lists all of the affected sites. (

Is there an easy way for Bitwarden to cross check my logins with the list of affected sites?

…Also, it occurs to me now that Bitwarden does not list breach collections on HaveIBeenPwned in its Data Breach Report on the Web Vault. Why is that?

Bitwarden will list breaches according to breach title that HIBP uses.

In this particular example, HIBP has labeled the breach "Title" as Cit0day

So, if HIBP detects your account has been breached, Bitwarden Data Breach Report will show Cit0day.

Another example would be the breach Collection1
The breach title HIBP uses is Collection #1, so this is what Bitwarden would show.

Bitwarden detects breaches by using HIBP API for a specific account:

Details: Have I Been Pwned: API v3

HIBP should have updated their database with information on breach, so Bitwarden Data Breach Report should show all breaches related to the account you search.

Not sure if there is any other “easy” way to search affected sites.

A more technical way might be to use the bitwarden-cli to possibly query your vaults domains and then compare with all affected sites.

So you’re saying the HIBP API doesn’t return collections when an email address query is passed to it?

It should return the titles like Cit0day and any other names listed on Have I Been Pwned: Pwned websites

The data Bitwarden gets back will include something like:

# Details Details
1 Title Cit0day
Domain (Note: they probably won’t show exact domain in collection)
PwnCount 226883414
BreachDate 2020-11-04
AddedDate 2020-11-19T08:07:33Z
2 Title Dropbox
PwnCount 68648009
BreachDate 2012-07-01
AddedDate 2016-08-31T00:19:19Z

Bitwarden will then just format this output for report.

Well, I can confirm that no collections are showing up in my Data Breach Report in Bitwarden, despite listing 3 of them. So if Bitwarden should be listing them, it isn’t.

The exact API Bitwarden uses is<USERNAME>?truncateResponse=false&includeUnverified=false" (link to code at bottom).

This requires a paid API key to use (if you want to try it yourself).

It is hard to determine where the exact issue is happening (HIBP or Bitwarden). Some possibilities include:

  • it is an unverified breach, since Bitwarden query excludes them.
  • maybe data in HIBP doesn’t have the specific email address you are looking up or something is missing