Luca Stivali : 22 September 2025 08:20
On September 20, 2025, at 11:52 PM, a thread titled “FRESH FTP LEAK” appeared on DarkForums , posted by user Hackfut . The material allegedly exposed access to FTP servers distributed across several countries, including Italy , the Netherlands, the Philippines, Peru, Chile, Australia, and Latvia. The targets included companies, schools, hospitality facilities, event sites, e-commerce sites, and media outlets .
The dump’s contents consist of hostnames/FTP domains, usernames, and passwords in clear text . Unfortunately, the critical issue for our country is the significant number of Italian domains present within the collection, which is made available free of charge to users of the underground forum.
An analysis of the sample provided by Hackfut shows that out of a total of 250 records, 196 are attributable to Italian domains . Many of these belong to educational institutions, SMEs, and tourism facilities , once again highlighting the fragile attack surface of our country.
The passwords appear largely current , not simply remnants of old compromises. Some passwords contain the string 2024, which allows us to understand that this collection could be current or slightly dated.
This implies that the published logins are potentially still valid and immediately exploitable by malicious actors.
The post doesn’t include the full list: to obtain it, the actor invites users to contact him privately on Telegram, a common practice in underground networks for controlled data distribution. It’s likely that Hackfut actually has a much larger dataset, potentially containing thousands of credentials linked to Italian targets.
The dump published by Hackfut not only represents a set of exposed credentials, but also further evidence of the persistent exposure of Italian assets to outdated security practices. The availability of active FTP access in schools, businesses, and tourism environments can lead to concrete consequences, from reputational abuse to phishing infrastructure.
This new leak confirms that FTP login details are still a sought-after commodity in cybercriminal circles , as they allow direct and immediate control over a site’s infrastructure. The companies involved are called upon to act promptly by resetting credentials , adopting two-factor authentication (2FA) where possible, and completely reviewing their security measures to mitigate the risks deriving from this compromise.
Anyone wishing to verify whether their domain is on the list can contact the editorial staff , who will provide the details in a controlled and confidential manner. The disruption resulting from such an attack would not only damage the reputation of the companies involved, but could also have significant economic repercussions , especially for portals that handle online transactions.
Luca Stivali