🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
A small security slip — an exposed file and an open admin panel — gave a hacker full access to BWSSB’s database, putting over 290,000 people’s personal details at risk. CloudSEK’s STRIKE Team breaks down how it happened, what went wrong, and what can be done to prevent such breaches.
Protect your sensitive information from unauthorized access and data breaches with CloudSEK XVigil Credential Breaches module, ensuring the security of your valuable data
Schedule a DemoThis report presents a comprehensive analysis of a security incident involving The Bangalore Water Supply and Sewerage Board (BWSSB). The incident concerns the unauthorized sale of direct root access to the database, compromising 290K+ user records, all valued at $500.
CloudSEK’s STRIKE Team has been actively monitoring this incident. Our investigation delves into the potential attack vectors exploited by the Threat Actor to gain unauthorized access to this data. By analyzing possible entry points, misconfigurations, and security lapses, we aim to reconstruct the sequence of events that led to this breach.
On 10th April, 2025 CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor by the name pirates_gold claiming to sell the data dump and direct root access of BWSSB’s database.
The initial post by the threat actor specified a payable amount of $500 for access to the compromised BWSSB database. However, upon direct engagement, the actor demonstrated a high level of urgency and appeared willing to negotiate significantly lower prices, indicating a potential desperation to sell.
The post claimed that the database access would expose records of 291,212 users. It was explicitly stated that the compromised data did not include the user's passwords. Additionally, the post featured a few lines of sample data.
CloudSEK’s researchers conducted a detailed examination of the threat actor’s post, which included a reference to the subdomain owc.bwssb.gov.in, used as an application portal for water connection.
Subsequent reconnaissance of the subdomain revealed the presence of an exposed endpoint that corresponds to Adminer, a widely used, database management tool which provides a web-based interface for performing administrative operations on various database management systems.
Engagement with the threat actor further validated the significance of the identified endpoint. During the interaction, the actor confirmed that the endpoint was actively being used to obtain direct root-level access to the underlying database.
Further analysis of the subdomain uncovered the presence of an exposed .env file. In this instance, the file contained plaintext credentials associated with the MySQL database. Upon verification, the credentials were found to be valid. Furthermore, an exclusive sample shared by the threat actor indicated that he was using the same username found in the .env file to log in.
The availability of these credentials, in conjunction with the exposed adminer.php interface, would allow the threat actor to achieve full access to the database.
Based on the available intelligence and corroborating evidence, we can conclude with high confidence that the threat actor gained unauthorized access to the BWSSB database comprising over 290,000+ user records by leveraging valid database credentials exposed within a publicly accessible .env file.
Please Note - At the time of writing this report, the .env file was no longer accessible, and the previously exposed credentials had been rendered invalid. However, the threat actor claimed to retain access via a backdoor. CloudSEK has not independently verified this claim.
The threat actor operating under the alias pirates_gold has been identified as the individual responsible for advertising access to the compromised BWSSB database. Analysis of underground forum activity indicates that pirates_gold joined BreachForums in September 2024 and has since established a moderate presence within the community.
As of the time of reporting, the actor holds a reputation score of 60 and has authored over 39 posts suggesting active involvement in data trade, illicit access sales, or related cybercriminal activities.
Primarily motivated by financial gains, the threat actor group generally targets the following sectors :
The particular threat actor employs a multi-faceted approach to compromise targets and profit from stolen data:
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
5
min read
A small security slip — an exposed file and an open admin panel — gave a hacker full access to BWSSB’s database, putting over 290,000 people’s personal details at risk. CloudSEK’s STRIKE Team breaks down how it happened, what went wrong, and what can be done to prevent such breaches.
This report presents a comprehensive analysis of a security incident involving The Bangalore Water Supply and Sewerage Board (BWSSB). The incident concerns the unauthorized sale of direct root access to the database, compromising 290K+ user records, all valued at $500.
CloudSEK’s STRIKE Team has been actively monitoring this incident. Our investigation delves into the potential attack vectors exploited by the Threat Actor to gain unauthorized access to this data. By analyzing possible entry points, misconfigurations, and security lapses, we aim to reconstruct the sequence of events that led to this breach.
On 10th April, 2025 CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor by the name pirates_gold claiming to sell the data dump and direct root access of BWSSB’s database.
The initial post by the threat actor specified a payable amount of $500 for access to the compromised BWSSB database. However, upon direct engagement, the actor demonstrated a high level of urgency and appeared willing to negotiate significantly lower prices, indicating a potential desperation to sell.
The post claimed that the database access would expose records of 291,212 users. It was explicitly stated that the compromised data did not include the user's passwords. Additionally, the post featured a few lines of sample data.
CloudSEK’s researchers conducted a detailed examination of the threat actor’s post, which included a reference to the subdomain owc.bwssb.gov.in, used as an application portal for water connection.
Subsequent reconnaissance of the subdomain revealed the presence of an exposed endpoint that corresponds to Adminer, a widely used, database management tool which provides a web-based interface for performing administrative operations on various database management systems.
Engagement with the threat actor further validated the significance of the identified endpoint. During the interaction, the actor confirmed that the endpoint was actively being used to obtain direct root-level access to the underlying database.
Further analysis of the subdomain uncovered the presence of an exposed .env file. In this instance, the file contained plaintext credentials associated with the MySQL database. Upon verification, the credentials were found to be valid. Furthermore, an exclusive sample shared by the threat actor indicated that he was using the same username found in the .env file to log in.
The availability of these credentials, in conjunction with the exposed adminer.php interface, would allow the threat actor to achieve full access to the database.
Based on the available intelligence and corroborating evidence, we can conclude with high confidence that the threat actor gained unauthorized access to the BWSSB database comprising over 290,000+ user records by leveraging valid database credentials exposed within a publicly accessible .env file.
Please Note - At the time of writing this report, the .env file was no longer accessible, and the previously exposed credentials had been rendered invalid. However, the threat actor claimed to retain access via a backdoor. CloudSEK has not independently verified this claim.
The threat actor operating under the alias pirates_gold has been identified as the individual responsible for advertising access to the compromised BWSSB database. Analysis of underground forum activity indicates that pirates_gold joined BreachForums in September 2024 and has since established a moderate presence within the community.
As of the time of reporting, the actor holds a reputation score of 60 and has authored over 39 posts suggesting active involvement in data trade, illicit access sales, or related cybercriminal activities.
Primarily motivated by financial gains, the threat actor group generally targets the following sectors :
The particular threat actor employs a multi-faceted approach to compromise targets and profit from stolen data: