Lithuania Lost 600K Land Registry Records to Stolen Logins

On May 22, 2026, the Lithuanian Prosecutor General's Office announced that someone had been quietly draining the Centre of Registers (Registrų centras) for months. By May 27, President Gitanas Nausėda told reporters the operation looked "hostile state" in character. The financial damage so far is small—€111,000, about $129,000. The strategic damage is harder to measure, because the records that walked out are the kind that let a foreign intelligence service map a country's politicians, judges, and dissidents by their home addresses.

Key Takeaways

• More than 600,000 records were pulled from Lithuania's Centre of Registers using legitimate credentials belonging to the Migration Department, not a software exploit.
• The intrusion was discovered in early April 2026 and announced publicly on May 22 by the Prosecutor General's Office; President Nausėda flagged hostile state involvement on May 27.
• Compromised data covers names, dates of birth, national identification numbers, addresses, cadastral information, and registry numbers from the Real Estate and Legal Entities Registers.
• Centre of Registers chief Adrijus Jusas resigned, blaming "years of underinvestment in state IT infrastructure" and estimating €60 million is needed to upgrade systems.
• Lithuanian authorities have not formally attributed the attack, but opposition leader Laurynas Kasčiūnas said it carries "the hallmarks of a Russian intelligence operation."

What Was Stolen From the Centre of Registers?

The Centre of Registers is the state body that runs Lithuania's Real Estate Register and its Legal Entities Register. In a country of 2.8 million people, those two databases describe almost every adult: where they live, what property they own, which companies they direct, and which national ID number ties it all together.

According to the Centre of Registers, the stolen records include full names, dates of birth, personal identification numbers (the Lithuanian equivalent of a social security number), residential and property addresses, cadastral information that describes land parcels precisely enough to find them on a map, and registry numbers that link a person to every entity they have ever registered. Bank account numbers and payment details were not in the affected datasets, and the Centre says no official documents were extracted.

That sounds like a limited theft. It is not. A Lithuanian opposition politician, a Belarusian journalist hiding in Vilnius, or an EU sanctions officer all have an address in those records. So does every prosecutor named in the investigation.

How Did the Attackers Get In Without Hacking Anything?

They did not exploit a vulnerability. They used valid logins. The Migration Department is one of several Lithuanian institutions that holds legitimate, authorized access to query the Centre of Registers as part of its day to day work. Someone—either through phishing, credential theft, or an insider—handed over those Migration Department accounts, and the attackers then ran very large numbers of queries from abroad over an extended period.

According to The Record's reporting on the Prosecutor General's announcement, the abuse pattern was the same one that has burned down enterprise SaaS tenants for the past two years: legitimate authentication, illegitimate volume. From the Centre of Registers' point of view, every request looked like a Migration Department case worker doing their job. From the data warehouse's point of view, 600,000 records were quietly siphoned off.

This is the same playbook ShinyHunters has been running against Salesforce tenants since March—the Charter Communications case is a near identical mechanism in a private sector wrapper. The defense gap is the same in both contexts. Once an attacker holds a federated identity that the data platform trusts, no firewall or endpoint product sees anything wrong.

Why Does This Matter for Journalists and Activists in the Region?

Lithuania sits on Russia's border. Vilnius has become a refuge city for Belarusian opposition figures since 2020 and for Russian journalists who left after February 2022. Several of the most prominent independent Russian language outlets, including investigators who track Kremlin influence operations, operate from Lithuanian addresses.

If the leaked dataset includes home addresses, it gives a hostile service the most basic input it needs: physical surveillance targeting, the ability to map a journalist's commute, and the data points required to plant a tracking device, stage a robbery, or harass a family member. Hostile services also use real estate registries to identify properties owned through trusts and shell companies, which is precisely the kind of operational counterintelligence that Russian and Belarusian agencies have been running against émigré communities for years.

Independent journalists in Lithuania should now treat their home address as compromised. Activists should assume any private residence registered in their name is known to whichever foreign service ordered the pull. The Committee to Protect Journalists has previously documented spyware campaigns against Eastern European reporters; the closest recent parallel is the Russian Signal account hijacking campaign exposed by Amnesty International in May, which also targeted more than 13,500 people without breaking encryption.

What Did the Lithuanian Government Do in Response?

Three immediate actions, according to DataBreaches.net's coverage. First, the Centre of Registers blocked all accounts suspected of being misused and required credential resets for institutional users. Second, the agency introduced additional cybersecurity measures, including stricter monitoring on bulk query patterns. Third, the chief executive resigned.

Adrijus Jusas, Centre of Registers chief, said in his resignation statement: "Given the sensitivity of the situation, I have decided to step down." He later blamed "years of underinvestment in state IT infrastructure" and estimated €60 million was needed to bring the systems up to modern security standards. The Centre confirmed the direct financial damage from the queries themselves at €111,000.

Affected residents will not be notified individually. Lithuanian law does not require breach notification at the level GDPR demands for private controllers when the breached entity is a state register, and there is no obvious remediation a citizen could take. The address on the title deed is the address.

What Should You Do If You Live in the Baltics or Work With Affected People?

For most Lithuanian residents, the practical guidance is narrow but worth taking. Treat any unsolicited message that references your specific address, your spouse's name, or your property as a possible targeted phishing attempt rather than a legitimate communication. The leaked dataset gives scammers and intelligence operators the kind of authentic detail that makes a fake official letter, a forged bailiff notice, or a fraudulent property tax email look real.

For journalists, activists, opposition politicians, and their families: assume an adversary has your home address and act on that assumption. That means not confirming an address by clicking a tracking link in any email, no matter how plausible the sender. Tracking pixels in email are the single fastest way for an operator to confirm that an inbox is live, that the recipient is in a particular country, and that a follow up lure is worth sending. Gblock strips those invisible pixels out of Gmail before they call home, which removes one of the few confirmation channels a remote operator has.

The Bigger Picture

Lithuania is not the first European country to lose a state registry to credential abuse, and it will not be the last. Estonia's e-residency system, Latvia's land registry, and Finland's tax database all sit behind federated logins that grant access to multiple institutional users. The defensive question is not whether a perimeter holds—it is whether the agency that legitimately accesses the database has stronger account protection than the agency that owns it.

Centre of Registers ran on the trust assumption that the Migration Department's logins were safe. They were not. Lithuania is now spending €60 million to make sure no other Lithuanian institution's logins ever are again.