DigiNotar certificate authority compromise

On 30 August 2011, the Dutch certificate authority DigiNotar confirmed that an attacker had penetrated its network and abused its trusted position in the global Public Key Infrastructure (PKI) to issue more than 500 fraudulent SSL/TLS certificates. The incident is a landmark in internet security: it demonstrated that the entire web's trust model could be subverted through a single compromised CA, and it ended with DigiNotar's bankruptcy within weeks.

What happened

DigiNotar was a small Dutch CA, acquired by VASCO Data Security in January 2011, that issued certificates trusted by every major browser. It also operated PKIoverheid, the certificate infrastructure underpinning much of the Dutch government's digital services.

According to the forensic investigation by Fox-IT (the "Operation Black Tulip" report), the outer perimeter of DigiNotar's network was breached on 17 June 2011. The intruder moved laterally — exploiting poor network segmentation, weak firewall rules, and out-of-date software — and reached the certificate-issuing servers by 1 July. The attacker ultimately gained control of all eight CA servers.

Between 10 and 20 July 2011, the intruder generated over 500 rogue certificates for high-value domains including a wildcard *.google.com, plus certificates impersonating Yahoo, Mozilla, Skype, Microsoft Update, the CIA, MI6, and Mossad.

Impact

A fraudulent *.google.com certificate was used in man-in-the-middle attacks to wiretap the Gmail traffic of roughly 300,000 Iranian internet users — the attack's apparent real-world purpose.
On 29 August 2011, Microsoft, Mozilla, Google, and Apple revoked trust in all DigiNotar root certificates. Because DigiNotar underpinned Dutch e-government, hospitals, courts, and financial services, the revocation crippled parts of the Dutch national infrastructure, forcing the government to take emergency operational control of the company.
DigiNotar was declared bankrupt on 20 September 2011, less than a month after disclosure.

Attribution

A hacker using the alias "ComodoHacker" — who had compromised the Comodo CA months earlier in March 2011 — claimed responsibility, leaving a signature in a text file on DigiNotar's servers and posting messages framing the operation as retaliation. Investigators assessed the attacker was operating from Iran, and the targeting of Iranian Gmail users pointed strongly to state-aligned surveillance objectives.

Why it matters

DigiNotar is the defining case study in PKI fragility: trust in the web depends on hundreds of CAs, and the compromise of any one of them can undermine all of them. The incident directly accelerated industry reforms — most notably Certificate Transparency, public logs that make rogue certificate issuance detectable, and stricter CA/Browser Forum audit requirements. It remains the textbook example of why certificate authorities are among the highest-value targets on the internet.

Timeline

June 17, 2011

The outer perimeter of DigiNotar's network is first breached, according to the later Fox-IT investigation.

July 1, 2011

The intruder tunnels through compromised systems to reach the certificate-issuing CA servers.

July 10, 2011

The first rogue certificate is successfully issued; between 10 and 20 July more than 500 fraudulent certificates are generated.

July 19, 2011

DigiNotar detects the intrusion internally but does not disclose it publicly.

August 28, 2011

A fraudulent *.google.com certificate is reported in the wild, used in man-in-the-middle attacks against Iranian users.

August 29, 2011

Major browsers and operating systems begin removing DigiNotar's root certificates from their trust stores.

September 20, 2011

DigiNotar is declared bankrupt by a Haarlem court.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/DigiNotar

threatpost.comhttps://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/

enisa.europa.euhttps://www.enisa.europa.eu/sites/default/files/all_files/Operation_Black_Tulip_v2.pdf

eff.orghttps://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack

theregister.comhttps://www.theregister.com/2011/09/20/diginotar_bankrupt/

Related incidents

Vulnerability exploitOngoingJune 10, 2026

Max-severity Ivanti Sentry flaw exploited for root code execution (CVE-2026-10520)

Ivanti patched a maximum-severity unauthenticated command-injection flaw in its Sentry mobile gateway that gives attackers root-level remote code execution, and within days real-world exploitation followed a public proof-of-concept, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.

Victim: Ivanti Sentry

Vulnerability exploitContainedJune 9, 2026

ServiceNow discloses unauthenticated API flaw that let attackers query customer instance data

ServiceNow disclosed that a misconfigured, unauthenticated REST API endpoint allowed actors to query data from hosted customer instances, an issue the company patched on 5 June but did not publish a (login-gated) advisory for until days later.

Victim: ServiceNow

Vulnerability exploitContainedJune 8, 2026

Meta Instagram 'High Touch Support' account-takeover breach (2026)

Attackers abused a verification flaw in Meta's AI-assisted Instagram account-recovery tool, High Touch Support, to trigger password resets and hijack 20,225 accounts before Meta detected and disabled the tool.

Victim: Meta Platforms (Instagram)

Vulnerability exploitContainedMay 9, 2026

765 users affected by claimed leak at Média31

On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Média31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.

Victim: Média31
Records: 765