16 Million Indian citizen’s PII compromised in massive data breach
On September 23, 2022, researchers discovered the leaked database through Cyble’s Threat Intelligence platform. The leak was shared by Threat Actor (TA) LeakBase, active on the cybercrime forum – Breach Forum. They have compromised several prominent financial institutions in India prior to this leak.
The database contained the PII (Personally Identifiable Information) of 16 million users of the Swachhata Platform (Swachh.city), a Swachh Bharat Mission initiative governed by the Ministry of Housing and Urban Affairs (MoHUA), Government of India. The platform is used to submit and follow up on municipal complaints.
The leaked data included users’ emails, usernames, passwords, mobile numbers, as well as login and OTP tokens.
Our initial observations revealed that the compromised datasets included a total of 16,457,744 records with the following header values:
id`, `username`, `user_id`, `email`, `password`, `mobile_number`, `otp`, `otp_sent_at`, `mobile_number_verified`, `mobile_number_verified_at`, `email_activation_token`, `email_activation_token_sent_at`, `email_verified`, `email_verified_at`, `remember_token`, `mac_address`, `banned`, `banned_at`, `last_login_at`, `last_login_ip`, `last_login_user_agent`, `last_login_channel`, `created_at`, `updated_at`, `deleted`, `deleted_at`, `non_verified_mobile_number`, `non_verified_mobile_number_otp`, `non_verified_mobile_number_otp_sent_at`, `otp_source`, `login_token`, `login_token_sent_at`, `comments`, `migrated_at`, `icmyc_user_id`
It is worth noting that the records in the compromised datasets consist of comprehensive information on the users registered on the impacted platform. It includes email addresses, encrypted passwords, mobile numbers, IP addresses, user-agent information, MAC address, and the ICMyC user ID of the individuals.
The compromised datasets included 101,718 unique email addresses and 15,835,111 unique mobile numbers, suggesting an indicative number of users impacted in the subject data breach by the TA LeakBase.
ICMyC is a contraction for the “I Change My City” associated with a civil initiative by the non-profitable trust “Janaagraha Centre for Citizenship and Democracy.”
The same organization developed and is also responsible for managing the MoHUA’s “Swachhata-MoHUA” and various other related Swachhata Technology Platforms developed for iOS, Android, and Web users.
Further analysis of the data suggested that 5.96 GB of leaked data was stolen from a Structured Query Language (SQL) database named “swachh_manch” in the impacted database server of the impacted infrastructure.
Over the course of our research, we determined that the oldest account in the dataset was created on June 17, 2022, and the latest login was observed on May 20, 2022. This is supported by the metadata information in the SQL data dump summary, indicating that TA likely exfiltrated the data on May 20, 2022. (See Figure 4). The SQL header also revealed that the impacted infrastructure was running on outdated versions of the phpMyAdmin and the Ubuntu 16.04.1 host operating system.
Possible Cause of the Compromise
Cyble’s Threat Intelligence Platform captured compromised administrator and non-administrator accounts’ login information for the phpPgAdmin web portal of the impacted infrastructure in multiple instances of the stealer malware logs from April 11, 2022. (See Figure 5)
The credentials for root, super admin, admin, and QA admin accounts were using weak password strings that were also prone to password dictionary attacks.
Overview of the Threat Actor’s Forum Activities
The TA LeakBase has been active on BreachForums since March 29, 2022, and is also a moderator on LeakBase.cc. The TA has 391 posts, including 354 threads, and has obtained a positive reputation for their leaks and alleged compromises.
The TA has been active on the forums with regular contributions to breached databases and the sale of admin/unauthorized access to websites.
Our research largely indicates that these credentials were possibly compromised from the developer’s accounts which could have been the primary indicators of TA’s initial access into the compromised infrastructure resulting in the subsequent data breach.
However, the TA had earlier disclosed to our source that their primary tactic was a custom brute forcing method. According to our findings, this method appears to be a plausible attack vector for the subject data breach. The Tactics, Techniques, and Procedures (TTPs) leveraged by the TA for the intrusion mainly remain unconfirmed.
The TA LeakBase has repeatedly targeted public and private entities in India and leaked several compromised datasets on the cybercrime forum. Cyble Research and Intelligence Labs will continue to monitor the TA’s activities.