One computer on our network was hacked and stole hundreds of accounts on different websites - what are correct steps to take?

Question

Someone in our company long time ago downloaded infected Windows Server copy from torrent site and kept it as test server in our network till now. Recently, our administrator noticed huge outgoing traffic from that computer, started digging and found that infected system contained OS user which was present in original OS installation which basically installed about 5 GBs of brute-forcing apps and collected (not very impressive) some amount of stolen credentials including:

1. Stolen accounts of not very popular sites like bluebella.com (lingerie site) and some money-related sites. Some of these accounts are apparently tied to credit-cards with minimal amounts of money
2. Stolen RDP credentials of users at different IP addresses
3. Other stolen credentials on different IP:ports (mostly easy to guess passwords like root_user:pwd123456 etc)

So this all looks like our computer was part of botnet. However, the hacker was doing this in a quite manual way, because txt files with credentials and images are named in a not-automated way.

My question is: Besides reinstalling OS and checking a lot of other security things, what are correct actions regarding stolen accounts? Should we try to contact websites with hacked accounts and/or users with hacked computer? Are there any efficient ways of doing this without spending time of our admins and digging through hundreds of websites/accounts?

Answer 1

The best thing is to create a forensic image of the compromised system, note down the hash and store it securely for future reference if any government agency trace you back to the illegal activity.

Informing the website owners wouldn't be of much use as small service providers hardly care about security breach unless their website is defaced. However it is worth a try.

You should also consult your legal department and decide whether or not to disclose the incident to law enforcement.