16M User PII Records from Swachhata Platform, India allegedly breached by LeakBase

Summary

16 million user PII records compromised from India’s Swachhata Platform. Leaked data contains email and password combos.
Category: Adversary Intelligence Industry: Government Country: India Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • 16 million user PII records compromised from India’s Swachhata Platform.
  • Leaked data contains email and password combos.
  • Leaked information can be sold as leads on cybercrime forums.
  • Social Engineering & Phishing attempts against affected individuals.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil recently discovered a post by the threat actor LeakBase, advertising the breach of the Swachhata Platform (Swachh.city).
  • The Swachhata Platform is an initiative of the Swachh Bharat Mission, in association with the Ministry of Housing and Urban Affairs of India.
  • Shared data samples contain PII such as email addresses, hashed passwords, User ID, etc.
  • 16 million user records have been compromised
  • 6 GB compromised data is being shared via a popular file-hosting platform.
Threat actor’s advertisement on the cybercrime forum
Threat actor’s advertisement on the cybercrime forum
 

Information from the Sample

The leaked data samples provided the following information:
  • Registered email addresses
  • Password hashes
  • Registered phone numbers
  • Transmitted OTP information
  • Login IP to platform
  • MAC address from user’s systems
  • Individual user tokens
  • Browser fingerprint information
 
Also read Uber’s Intranet Compromised Via Social Engineering

Threat Actor Activity and Rating

Threat Actor Profiling
Active since March 2022
Names Used LeakBase, Chucky, Chuckies, Sqlrip, etc
Reputation High (No complaints and credible reputation)
Current Status Active
History
  • Previously known from providing reliable information and data breaches from companies around the world.
  • Often operates for financial gain and conducts sales on their marketplace forum leakbase.cc.
  • Offers access to admin panels and servers of most CMSs, allegedly gained via unauthorized means and sold for monetary profit.
Rating C3 (C: Fairly reliable; 3: Possibly true)

Impact and Mitigation

Impact Mitigation
  • This information can be aggregated to further be sold as leads on cybercrime forums.
  • This information can be harvested by threat actors to conduct the following cyber attacks:
    • Phishing
    • Smishing
    • Social Engineering
  • Implement a strong password policy and enable MFA across logins.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
Also Read Missing DMARC Records Increases the Possibility of Phishing Campaigns Against Akasa Air

References

Appendix

A sample of the database, disclosed by the threat actor
A sample of the database, disclosed by the threat actor
 
Comment that was observed under the post
Comment that was observed under the post
 

Table of Contents

Request an easy and customized demo for free