5 Min Read 
A foreign country pulled more than 600,000 records out of Lithuania’s state property and company registers and it did so not by breaking in but by using login credentials issued to institutions that were authorized to be there. The Lithuanian Prosecutor General’s Office disclosed the breach on Friday, more than six weeks after the Centre of Registers first detected it in early April.
The Centre of Registers, the state agency that runs Lithuania’s Real Estate and Legal Entities Registers, manages official property and corporate records that ordinarily sell on a paid-access basis. Prosecutors said the stolen information came primarily from those two registers and that the access likely originated abroad. They did not name the country.
The Logins Were Supposed To Be There
This is the detail that matters. The attacker did not exploit an unpatched server or a zero-day. According to prosecutors, the breach involved the misuse of credentials assigned to institutions that held legitimate, authorized access to the registry databases. Whoever ran the operation either had those credentials or compromised an organization that did.
Laurynas Kasciunas, the conservative opposition leader and a former defence minister, said in a Facebook post that compromised accounts linked to Lithuania’s Migration Department may have been used to reach the registry. Lithuanian prosecutors have not confirmed which institutions’ accounts were involved.
What Was Actually Taken
The Centre of Registers set out the scope in a statement on Tuesday. The exposed information includes names, dates of birth and national identification numbers alongside property data such as addresses, cadastral information and registry numbers. The agency said no contact details, bank account or payment data, court rulings or cadastral measurement files were taken.
Initial estimates put the direct financial damage at more than €111,000. Treat that as a floor, not a measure of harm. The figure reflects the commercial value of the paid registry extracts, not the security cost of 600,000 Lithuanians’ home addresses and identification numbers now sitting in a hostile dataset.
The Russia Question Belongs To A Politician, Not The Prosecutors
Most of the coverage led with Russia. That attribution did not come from the investigation. It came from Kasciunas, who wrote on Facebook on Sunday that the breach bore “the hallmarks of a Russian intelligence operation.” He offered no evidence. The Prosecutor General’s Office has neither confirmed nor denied Russian involvement and no group has claimed the attack.
The distinction is worth holding onto. A prosecutor saying the access likely came from an unnamed foreign country is a careful, evidence-bound statement. An opposition politician naming Moscow on social media three days later is a political one. Both can be reported. They are not the same claim and conflating them is how a credential-misuse case becomes a spy thriller before anyone has traced a single connection.
Kasciunas’s underlying warning holds regardless of who was behind it. A register of home addresses tied to intelligence officers, military personnel, diplomats and politicians is a useful asset for any hostile service, and could feed surveillance, phishing, coercion or sabotage planning. Lithuania borders the Russian exclave of Kaliningrad and Russia’s ally Belarus and has spent years cataloguing hybrid operations against it.
A Resignation, And A €60 Million Admission
Adrijus Jusas, who led the Centre of Registers, resigned on Monday. “Given the sensitivity of the situation, I have decided to step down and hand over responsibility to other professionals,” he said in comments to Lithuanian media.
His exit interview said more than his resignation. Jusas blamed years of underinvestment in state IT and put the cost of bringing the registry’s systems up to modern security standards at as much as €60 million. That is the line other registry operators should read twice. The breach was not found and disclosed on the same day, it was detected in early April and held back during the investigation. A system that cannot afford monitoring is a system that finds out late.
Authorised Access Is The Weak Point
The mechanics of this breach are not exotic which is exactly why they travel. Any register that sells bulk data access to a list of authorized institutions carries the same exposure. The perimeter holds and the risk sits in the credentials handed to third parties and in whether anyone watches how those credentials are used.
Sweden runs the same model. Bolagsverket holds the company register and Lantmäteriet holds the property and cadastral register, both with paid, authorized bulk access for banks, insurers, law firms and data resellers. Neither has reported a breach. The question their access controls have to answer is the one Lithuania’s did not. Would you notice if one authorized account suddenly pulled 600,000 records?
For any organization running or consuming authorized registry access, three things are worth checking this week. Whether bulk extraction by an authorized account triggers an alert. Whether credentials issued to partner institutions are rotated and monitored, not set once and forgotten. And whether your own detection would have caught this in April rather than in late May. Lithuania’s answer to the last one was no and it cost the head of the agency his job.
References
- Lithuania investigates theft of 600,000 state registry records by foreign actor
- A country of 2.9 million people on Russia’s border just had 600,000 national records stolen
- Lithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register Entries
- Lithuania Centre of Registers chief resigns after major data leak
This post is also available in:
Svenska
Related News
CISA Fast-Tracks Nine-Year-Old Linux Root Bug to Known Exploited List
CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalogue on Friday, confirming that a nine-year-old Linux kernel flaw is being exploited in live attacks. The…
May 4, 2026 ShinyHunters Claims Udemy, Zara and 7-Eleven in Latest Extortion Wave
ShinyHunters claimed to have stolen 1.4 million records from online learning platform Udemy and has threatened to release the data alongside stolen information from Zara…
April 28, 2026