200M Stolen Passwords & 18M Colombian IDs Leaked: Bureaucracy Wins, Security Loses

TL;DR

• LeakBase cybercrime forum dismantled in global operation; 142,000+ members, 215,000 messages, and hundreds of millions of credentials seized
• Colombia’s DIAN tax authority breach exposes 18M records via unpatched appointment portal vulnerability

🤡 200 Million Stolen Credentials Seized in Global Crackdown — FBI Takes Down LeakBase Across 14 Countries

200+ MILLION stolen passwords… and they got caught buying coffee with them. 🤡 FBI seized the entire leak — 142K users, 37 sellers, $350M in victim payouts… all because one guy reused ‘Password123’ on 87 sites. Meanwhile, your ‘secure’ password? Still ‘Summer2026’. Who’s next? — Should your company pay you to stop being a human keylogger?

LeakBase just got LeakBusted. After four years of hawking stolen credentials like discount sushi, the forum's 142,000 members woke up Thursday to FBI seizure banners where their black market used to live. Two domains, hundreds of millions of accounts, and one very bad morning for 37 "active users" now facing the kind of legal attention that doesn't end with a refund.

The operation reads like bureaucratic poetry: 14 countries, ~100 enforcement actions, DNS redirects to ns1.fbi.seized.gov. The kind of coordination that normally takes three years and seventeen PowerPoints took roughly 48 hours from warrant to takedown. Either international law enforcement finally figured out Slack, or someone important got phished.

Privacy: 200+ million credentials seized → your reused password from 2019 is now evidence
Financial: $1 million in stablecoin frozen, $350 million in restitution ordered → crime pays until it absolutely doesn't
Operational: 215,000 private messages captured → every "bro do u have netflix logs" permanently archived

The forum's database—usernames, passwords, payment cards, banking details, the full identity theft starter kit—now lives in "secure, air-gapped forensic storage." Which is government-speak for "we're reading everything, including your cringe DMs."

Where the cockroaches scatter

• 2026 (0–3 months): Forensic teams combing credentials; victim notifications incoming; 37 targets learning extradition law
• 2026–2027 (3–12 months): Crypto-mixer disruption; "strengthened legal frameworks" (read: politicians finally understanding DNS)
• 2027–2029 (1–3 years): Centralized forums fragment into invite-only whack-a-mole; institutionalized joint operations become the new normal

The predictable migration to RaidForums successors and BreachForums ghosts is already priced in. Europol's CI-ECR platform—threat intel sharing with a name like a pharmaceutical side effect—will monitor the diaspora. The seized data itself poses residual risk: hundreds of millions of credentials in government custody, because what could go wrong.

The real hack was the friends we arrested along the way

This operation validates synchronized multi-jurisdictional takedowns as viable theater. Rapid domain seizure via DNS repointing? Replicable. The 142,000-member scale? A benchmark. The actual impact on credential markets? Ask again when the next forum hits 100K users—probably before your password expires.

The strategic win isn't the takedown. It's demonstrating that law enforcement can move at cybercrime speed when sufficiently motivated. The 37 targeted users, the seized stablecoin, the forensic archives—these are outputs. The outcome is institutional: shared command centers, real-time intelligence feeds, standardized evidence handling across borders.

For the rest of us, the lesson is cheaper than the stolen data ever was. That password you've reused since 2021? It's been bulk-priced at roughly $0.000001 per account. Change it now, or wait for the next seizure banner with your credentials in the evidence pool.

💣 18M Colombian Identities Exposed: DIAN’s Unpatched Portal Ignites National Cyber Crisis

18 MILLION Colombian identities dumped like expired empanadas 🗑️🇨🇴 Unpatched software. 16GB of cédulas. Zero apologies. DIAN knew for MONTHS. Still didn’t fix it. Taxpayers now get free identity theft + phishing spam — because bureaucracy > security. Who’s next? Your local tax office? — Or are you already on that 16GB list?

Your tax authority left the back door open for months—and 18 million Colombians just got the receipt.

Who needs zero‑days when negligence is free?

"ArcRaidersPlayer" didn't crack some fortress. They strolled into agendamiento.dian.gov.co —DIAN's appointment portal—through a vulnerability that had been gathering dust since roughly forever. The exploit? Boring HTTP requests to an endpoint that apparently forgot what "authorization" means. The haul? 16 GB of citizen data: names, cédula numbers, emails, appointment logs. That's 18 million records, or roughly 90% of Colombia's adult population—enough to fill Estadio Metropolitano 200 times over, now sitting on dark-web shelves next to stolen credit cards and discount Viagra.

Identity theft: Every cédula becomes a skeleton key for tax fraud, bogus loans, SIM swaps.
Operational chaos: Portal offline, citizens back to physical queues.
Regulatory theater: Potential fines under Ley 1581—if anyone proves DIAN actually tried to patch anything.

How this keeps happening (a Latin American greatest hits)

• 2025: Dominican Republic—6.1M records, "oops, database exposed"
• Feb 2026: Mexico's tax authority—195M records, 145 GB, slightly worse
• Mar 2026: Colombia—18M records, unpatched for months, same song

Pattern? Government portals running on hope, legacy contracts, and interns who can't escalate CVEs past procurement.

The timeline nobody asked for

• Now–April 2026: Phishing tsunami. "Confirm your DIAN appointment" emails incoming.
• May–August 2026: Regulatory finger‑pointing, possible lawsuits, one sacrificial IT director.
• 2027: Mandatory patch‑management laws that might get funded by 2029.

The real hack

DIAN didn't lose to genius attackers. They lost to compound interest on apathy—months of "we'll patch next sprint" until someone else sprinted faster. The 16 GB leak is embarrassing. That it was avoidable? That's the special sauce.

Latin American governments keep treating digital infrastructure like office furniture: invisible until it collapses. Meanwhile, threat actors treat those same portals like ATMs with sticky notes for PINs. The "ArcRaidersPlayer" breach isn't an anomaly—it's the regional baseline, and 18 million Colombians are now paying the subscription fee.

In Other News

• Tycoon2FA phishing-as-a-service platform disrupted; 330 domains seized, 62% of Microsoft-blocked phishing attempts traced to its infrastructure
• CISA Chief Information Officer Bob Costello steps down amid broader government IT leadership turnover and unimplemented cybersecurity recommendations
• AI-powered exploit kit Coruna targets iOS 13–17.2.1 via malicious websites, compromising 42,000+ devices with BIP39 seed phrase theft