🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Adversary Intelligence
5
mins read

Inside the BWSSB Incident : How An Exposed Environment File Enabled the Sale of 290K+ Applicant Records and Database Root Access

A small security slip — an exposed file and an open admin panel — gave a hacker full access to BWSSB’s database, putting over 290,000 people’s personal details at risk. CloudSEK’s STRIKE Team breaks down how it happened, what went wrong, and what can be done to prevent such breaches.

Sourajeet Majumder
April 29, 2025
Green Alert
Last Update posted on
April 29, 2025
Secure your organization's sensitive information from data breach.

Protect your sensitive information from unauthorized access and data breaches with CloudSEK XVigil Credential Breaches module, ensuring the security of your valuable data

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

This report presents a comprehensive analysis of a security incident involving The Bangalore Water Supply and Sewerage Board (BWSSB). The incident concerns the unauthorized sale of direct root access to the database, compromising 290K+ user records, all valued at $500.

CloudSEK’s STRIKE Team has been actively monitoring this incident. Our investigation delves into the potential attack vectors exploited by the Threat Actor to gain unauthorized access to this data. By analyzing possible entry points, misconfigurations, and security lapses, we aim to reconstruct the sequence of events that led to this breach. 

Analysis and Attribution

Information from the Post

On 10th April, 2025 CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor by the name pirates_gold claiming to sell the data dump and direct root access of BWSSB’s database.

Screenshot of CloudSEK’s threat feed

The initial post by the threat actor specified a payable amount of $500 for access to the compromised BWSSB database. However, upon direct engagement, the actor demonstrated a high level of urgency and appeared willing to negotiate significantly lower prices, indicating a potential desperation to sell.

The post claimed that the database access would expose records of 291,212 users. It was explicitly stated that the compromised data did not include the user's passwords. Additionally, the post featured a few lines of sample data.


Screenshot of the post made by the threat actor

Technical Analysis and Potential IAV (Initial Access Vector)

CloudSEK’s researchers conducted a detailed examination of the threat actor’s post, which included a reference to the subdomain owc.bwssb.gov.in, used as an application portal for water connection.

Subsequent reconnaissance of the subdomain revealed the presence of an exposed endpoint that corresponds to Adminer, a widely used, database management tool which provides a web-based interface for performing administrative operations on various database management systems.

Engagement with the threat actor further validated the significance of the identified endpoint. During the interaction, the actor confirmed that the endpoint was actively being used to obtain direct root-level access to the underlying database.

Screenshot of Adminer login page


Screenshot of the engagement with the threat actor

Further analysis of the subdomain uncovered the presence of an exposed .env file. In this instance, the file contained plaintext credentials associated with the MySQL database. Upon verification, the credentials were found to be valid. Furthermore, an exclusive sample shared by the threat actor indicated that he was using the same username found in the .env file to log in.

The availability of these credentials, in conjunction with the exposed adminer.php interface, would allow the threat actor to achieve full access to the database.

 

Masked snapshot of the exposed .env file
Masked snapshot of valid access to the MySQL database

Based on the available intelligence and corroborating evidence, we can conclude with high confidence that the threat actor gained unauthorized access to the BWSSB database comprising over 290,000+ user records by leveraging valid database credentials exposed within a publicly accessible .env file.

Please Note - At the time of writing this report, the .env file was no longer accessible, and the previously exposed credentials had been rendered invalid. However, the threat actor claimed to retain access via a backdoor. CloudSEK has not independently verified this claim.

Threat Actor Profile - pirates_gold

The threat actor operating under the alias pirates_gold has been identified as the individual responsible for advertising access to the compromised BWSSB database. Analysis of underground forum activity indicates that pirates_gold joined BreachForums in September 2024 and has since established a moderate presence within the community.

As of the time of reporting, the actor holds a reputation score of 60 and has authored over 39 posts suggesting active involvement in data trade, illicit access sales, or related cybercriminal activities. 

Previous Organisations Targeted:

  • Auxxxreviews
  • Vision Brindes
  • AC Online
  • ISTV.uz
  • Farmacia Internacional
  • U-F-L.net
  • Bank Syariah AlSalaam

Targeted Regions and Sectors: 

Primarily motivated by financial gains, the threat actor group generally targets the following sectors  : 

  • E-Commerce
  • Healthcare
  • Finance
  • Financial Services
  • Adult
Screenshot of top 5 countries targeted by pirates_gold

Modus Operandi

The particular threat actor employs a multi-faceted approach to compromise targets and profit from stolen data:

  • Data Breaches: Exploits vulnerabilities and misconfigurations to gain unauthorized access to organizational databases. 
  • Access Brokerage: Sells root-level database access and other compromised accounts.
  • Data Dump Sales: Monetizes breaches by selling stolen data dumps on underground forums.

Incident Impact and Severity 

  • Complete Administrative Access: Logging in with the exposed credentials provided the threat actor with root-level privileges, enabling complete administrative control over the database.
  • Infrastructure Sabotage and Data Manipulation: Root-level access enables modification or deletion of critical operational data, such as payment records or grievance logs. This could disrupt essential public services, erode public trust, and hinder administrative functions within BWSSB.
  • Extensive Data Exposure: The database contains multiple tables including:
    • Payment Data
    • Application Data 
    • Grievance Data 
    • System Logs
  • PII Compromise: The application table alone holds over 290,000+ records containing sensitive Personally Identifiable Information (PII), including: Full Name, Phone Number, Complete Address, Email ID, Aadhaar Number and other critical applicant details.
  • Targeted Phishing and Social Engineering Campaigns: The compromised data can fuel highly targeted phishing attacks against citizens and employees. Detailed PII enhances the credibility of fraudulent communication, increasing the likelihood of successful exploitation.

Recommendations

  • Conduct a Comprehensive Security Audit: Perform an in-depth audit of the affected infrastructure, to identify and remediate any remaining vulnerabilities or backdoors that may persist post-incident. 
  • Revoke All Exposed and Potentially Compromised Credentials: Ensure that all database and application credentials—especially those previously stored in the .env file—are rotated. Implement strict secret management practices to prevent future credential exposure. 
  • Remove Public Access to Administrative Interfaces: Immediately restrict access to sensitive administrative endpoints such as adminer.php through IP whitelisting, VPN access, or complete removal from the public domain.

References

Author

Sourajeet Majumder

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

5

min read

Inside the BWSSB Incident : How An Exposed Environment File Enabled the Sale of 290K+ Applicant Records and Database Root Access

A small security slip — an exposed file and an open admin panel — gave a hacker full access to BWSSB’s database, putting over 290,000 people’s personal details at risk. CloudSEK’s STRIKE Team breaks down how it happened, what went wrong, and what can be done to prevent such breaches.

Authors
Sourajeet Majumder
Co-Authors
No items found.

Executive Summary

This report presents a comprehensive analysis of a security incident involving The Bangalore Water Supply and Sewerage Board (BWSSB). The incident concerns the unauthorized sale of direct root access to the database, compromising 290K+ user records, all valued at $500.

CloudSEK’s STRIKE Team has been actively monitoring this incident. Our investigation delves into the potential attack vectors exploited by the Threat Actor to gain unauthorized access to this data. By analyzing possible entry points, misconfigurations, and security lapses, we aim to reconstruct the sequence of events that led to this breach. 

Analysis and Attribution

Information from the Post

On 10th April, 2025 CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor by the name pirates_gold claiming to sell the data dump and direct root access of BWSSB’s database.

Screenshot of CloudSEK’s threat feed

The initial post by the threat actor specified a payable amount of $500 for access to the compromised BWSSB database. However, upon direct engagement, the actor demonstrated a high level of urgency and appeared willing to negotiate significantly lower prices, indicating a potential desperation to sell.

The post claimed that the database access would expose records of 291,212 users. It was explicitly stated that the compromised data did not include the user's passwords. Additionally, the post featured a few lines of sample data.


Screenshot of the post made by the threat actor

Technical Analysis and Potential IAV (Initial Access Vector)

CloudSEK’s researchers conducted a detailed examination of the threat actor’s post, which included a reference to the subdomain owc.bwssb.gov.in, used as an application portal for water connection.

Subsequent reconnaissance of the subdomain revealed the presence of an exposed endpoint that corresponds to Adminer, a widely used, database management tool which provides a web-based interface for performing administrative operations on various database management systems.

Engagement with the threat actor further validated the significance of the identified endpoint. During the interaction, the actor confirmed that the endpoint was actively being used to obtain direct root-level access to the underlying database.

Screenshot of Adminer login page


Screenshot of the engagement with the threat actor

Further analysis of the subdomain uncovered the presence of an exposed .env file. In this instance, the file contained plaintext credentials associated with the MySQL database. Upon verification, the credentials were found to be valid. Furthermore, an exclusive sample shared by the threat actor indicated that he was using the same username found in the .env file to log in.

The availability of these credentials, in conjunction with the exposed adminer.php interface, would allow the threat actor to achieve full access to the database.

 

Masked snapshot of the exposed .env file
Masked snapshot of valid access to the MySQL database

Based on the available intelligence and corroborating evidence, we can conclude with high confidence that the threat actor gained unauthorized access to the BWSSB database comprising over 290,000+ user records by leveraging valid database credentials exposed within a publicly accessible .env file.

Please Note - At the time of writing this report, the .env file was no longer accessible, and the previously exposed credentials had been rendered invalid. However, the threat actor claimed to retain access via a backdoor. CloudSEK has not independently verified this claim.

Threat Actor Profile - pirates_gold

The threat actor operating under the alias pirates_gold has been identified as the individual responsible for advertising access to the compromised BWSSB database. Analysis of underground forum activity indicates that pirates_gold joined BreachForums in September 2024 and has since established a moderate presence within the community.

As of the time of reporting, the actor holds a reputation score of 60 and has authored over 39 posts suggesting active involvement in data trade, illicit access sales, or related cybercriminal activities. 

Previous Organisations Targeted:

  • Auxxxreviews
  • Vision Brindes
  • AC Online
  • ISTV.uz
  • Farmacia Internacional
  • U-F-L.net
  • Bank Syariah AlSalaam

Targeted Regions and Sectors: 

Primarily motivated by financial gains, the threat actor group generally targets the following sectors  : 

  • E-Commerce
  • Healthcare
  • Finance
  • Financial Services
  • Adult
Screenshot of top 5 countries targeted by pirates_gold

Modus Operandi

The particular threat actor employs a multi-faceted approach to compromise targets and profit from stolen data:

  • Data Breaches: Exploits vulnerabilities and misconfigurations to gain unauthorized access to organizational databases. 
  • Access Brokerage: Sells root-level database access and other compromised accounts.
  • Data Dump Sales: Monetizes breaches by selling stolen data dumps on underground forums.

Incident Impact and Severity 

  • Complete Administrative Access: Logging in with the exposed credentials provided the threat actor with root-level privileges, enabling complete administrative control over the database.
  • Infrastructure Sabotage and Data Manipulation: Root-level access enables modification or deletion of critical operational data, such as payment records or grievance logs. This could disrupt essential public services, erode public trust, and hinder administrative functions within BWSSB.
  • Extensive Data Exposure: The database contains multiple tables including:
    • Payment Data
    • Application Data 
    • Grievance Data 
    • System Logs
  • PII Compromise: The application table alone holds over 290,000+ records containing sensitive Personally Identifiable Information (PII), including: Full Name, Phone Number, Complete Address, Email ID, Aadhaar Number and other critical applicant details.
  • Targeted Phishing and Social Engineering Campaigns: The compromised data can fuel highly targeted phishing attacks against citizens and employees. Detailed PII enhances the credibility of fraudulent communication, increasing the likelihood of successful exploitation.

Recommendations

  • Conduct a Comprehensive Security Audit: Perform an in-depth audit of the affected infrastructure, to identify and remediate any remaining vulnerabilities or backdoors that may persist post-incident. 
  • Revoke All Exposed and Potentially Compromised Credentials: Ensure that all database and application credentials—especially those previously stored in the .env file—are rotated. Implement strict secret management practices to prevent future credential exposure. 
  • Remove Public Access to Administrative Interfaces: Immediately restrict access to sensitive administrative endpoints such as adminer.php through IP whitelisting, VPN access, or complete removal from the public domain.

References