Luca Stivali : 16 October 2025 08:03
A new post on the dark web offers full access to thousands of MySQL servers and databases owned by Italian shared hosting providers.
In the last few hours, a new thread appeared on an underground forum with the unequivocal title: “Italian hosting service sites – 9 more 40 servers – 526193 site’s backup – 4631 hosting customer – 6546 MySQL db’s”.
Disclaimer: This report includes screenshots and/or text from publicly available sources. The information provided is for threat intelligence and cybersecurity risk awareness purposes only. Red Hot Cyber condemns any unauthorized access, improper dissemination, or misuse of this data. It is currently not possible to independently verify the authenticity of the information reported, as the organization involved has not yet released an official statement on its website. Therefore, this article should be considered for informational and intelligence purposes only.
The author of the post, who uses the nickname 010010 , is a long-standing user of the platform (active since 2018) and is offering for sale for $1,000 in TRC20 an entire data dump coming – according to him – from Italian hosting infrastructures.
The screenshots published alongside the post clearly show:
t_payservice_mysql table containing cleartext usernames and passwords for over 6,500 instances;A not insignificant detail is the author’s promise: “I will give the phpmyadmin mysql root password” , a sign that access is not limited to the data but extends to the entire management system.
We conducted a preliminary OSINT analysis of the published evidence. Highlights:
010010 It’s a binary, short, and heavily “technical/hacker”-sounding username—not a random choice for a data vendor. The forum account has been active since 2018, with reactions and credentials that denote a consolidated reputation (it’s not a disposable profile).stanislav karacetin appears in the bar with the profile path C:UsersstaniDocumentshostingdatabase . This provides two concrete clues: the dump was aggregated and saved on a machine with the OS set to Turkish, and the screenshot’s author (or the owner of the machine that generated the files) is identifiable as “stanislav / stani” at the local profile level.Working hypothesis (high-level): The seller is likely a technical operator, potentially operating from the Turkish-speaking area or owning a Turkish-language machine. Their behavior (binary username, monetization in TRC20, obfuscated Telegram contact) is consistent with vendors from the TR/Eastern Europe area active in the credentials and database markets.
Although the providers involved have not yet been identified, technical evidence shows a pattern typical of Italian shared web hosting infrastructures : databases named “clienti_nomeaziendaXX”, references to multiple domains, and replicated tables for hundreds of users.
This type of impairment is often the result of:
If the data for sale were to be authentic, the impact would be significant: the databases shown contain customer accounts , passwords , domain codes and complete site backups .
Information of this type may be used to:
Once again, underground forums confirm their function as a parallel marketplace for compromised infrastructure , where SQL dumps, RDP logins and Plesk panels are sold for a fortune.
In today’s case, the Italian origin of the material represents a further alarm bell for a sector – that of shared hosting – which continues to suffer from a chronic lack of segmentation and hardening .
As often happens in these contexts, the economic value required (just $1,000) is inversely proportional to the potential risk for the thousands of companies and professionals who could find themselves exposed.
Red Hot Cyber will continue to monitor the spread of this dump and any possible correlation with well-known providers in Italy. For now, it remains yet another reminder of how fragile the upstream security can be for those who host thousands of websites every day.
Luca Stivali