PHI Database: Portal for Health Informatics - IIIT Delhi shared on Cyber Crime Forum

CloudSEK's contextual AI digital risk platform XVigil has discovered a post on an English speaking cybercrime forum, sharing a database of PHI-IIIT Delhi for Forum credits. A total of 82 Databases were compromised and leaked data.
Updated on
July 31, 2023
Published on
July 31, 2023
Subscribe to the latest industry news, threats and resources.

Category: Adversary Intelligence

Industry: Healthcare & Pharma


Region: India


B:Usually reliable

2: Probably true

Executive Summary

CloudSEK's contextual AI digital risk platform XVigil has discovered a post on an English speaking cybercrime forum, sharing a database of PHI-IIIT Delhi for Forum credits. A total of 82 Databases were compromised and leaked data includes Emails, Name, Year and Internal healthcare & Vaccine development related documents, including research papers and more. It should be noted that a portion of the offered database is accessible for public consumption on the PHI Portal hosted on ERNET (Education and Research Network): ERNET is an autonomous scientific society under the Ministry of Electronics and Information Technology (MeitY) in India.

PHI: Portal for Health Informatics - is IIIT Delhi's web portal for bioinformatics, health informatics, and genomics, helping biologists in vaccine development and drug designing. It provides servers, databases, and software for scientific computation in healthcare, supporting research in life sciences.

Snapshot from cybercrime forum with PHI’s shared  data

Analysis and Attribution

Information from the Post

On 25 July 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor named UsNsA sharing a database of Portal for Health Informatics - IIIT-Delhi for 8 forum credits. The leaked database, comprising 82 files with a total size of approximately 1.8 GB, contains sensitive information such as username, email addresses and other internal documents.

The shared database, named included:

  • 10,842 emails in the collection with around 6,500 Unique domains and 29,000 Unique URLs in the database. 
  • Internal Data files relating to ovirustdb, leukemiabd, indiabiodb, HIV, and more. 
  • The leaked database file contains various tables, including bacvacdb, cancerdp, PHPMyadmin, dengi, and Crud. Additionally, it includes usernames such as admin, test, Vikram, mouli, osddadmin, osdduser11, and user31, which were obtained from the DotProject Contacts Table.

It is worth noting that the 54 databases leaked on the website are already available for public consumption through the website can be through the website as mentioned below

Openly available search for the database on the PHI Portal

Information from the Post (Contd)

Snapshot of the Publicly available 54 Databases

The actor exploited a SQL injection vulnerability on the PHI Portal website to gain unauthorized access and exfiltrate the database, likely employing the SQLMap tool

  • SQLMap is a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities in web applications.
  • CloudSEK researchers discovered SQL injection-affecting parameters present in the SQL logs.

The leaked MySQL User table named "users" exposed sensitive information such as usernames, hashed passwords, user privileges, SSL type, and possibly other confidential data. Furthermore, the website displayed numerous instances of SEO Spam, as evident in the below images indicating a certain section of the website is not moderated.

Snapshot of Spam SEO in the website

Threat Actor Activity and Rating

Threat Actor Profiling

Active since

June 2023



Current Status



Shared Database for countries including

  • Indonesia

  • Thailand 

  • Hongkong


B2 (B: Usually reliable, 2:Probably true)


Impact & Mitigation


  • The leaked information could be used to gain initial access to the company’s infrastructure.
  • If the leaked data is not encrypted, it could enable account takeovers.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence. 



Snapshot of Bank Negara Indonesia and other Databases shared by the actor

Leaked Databases Names

  • ahtpdb
  • antitbpdb
  • apocand
  • b3pdb
  • bacvacdb
  • bbs
  • biadb
  • cancerabcd
  • cancerdp
  • cancerdr
  • cancerend
  • cancerhla1
  • cancerliver
  • cancerpdf
  • cancerppd
  • cancertope
  • carbodb
  • ccdb
  • cppsite
  • cppsite3
  • crisprge
  • crud
  • dbem
  • dengi
  • denvind
  • dotproject
  • drplga
  • drug
  • ebola
  • ecdb
  • egfrindb
  • fermfoodb
  • forum
  • galaxy
  • gpsr
  • hemolytik
  • herceptinr
  • hipdb
  • hivsir
  • Hmrbase
  • hmrbase2
  • hpvbase
  • hrdb
  • humcfs
  • Immunospdb
  • imtapps
  • imtword
  • indiabiodb
  • information_schema
  • jos
  • leukemiabd
  • lmsdb
  • moodle
  • mtbveb
  • mycotb
  • mysql
  • old
  • open
  • ovirustdb
  • parapep
  • pcmdb
  • pdb
  • peplife
  • performance_schema
  • pgpdb
  • phpmyadmin
  • procanbio
  • prrdb2
  • rareled
  • ravelled
  • salivadb
  • sapdb
  • satpdb
  • sys
  • thpdb
  • Thpdb2
  • thycanbio
  • topicalpdb
  • tumorhope
  • vactarbac
  • viralvacdb
  • vlcvirus

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations