16M User PII Records from Swachhata Platform, India allegedly breached by LeakBase

16 million user PII records compromised from India’s Swachhata Platform. Leaked data contains email and password combos.
Updated on
April 19, 2023
Published on
September 29, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Government Country: India Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • 16 million user PII records compromised from India’s Swachhata Platform.
  • Leaked data contains email and password combos.
  • Leaked information can be sold as leads on cybercrime forums.
  • Social Engineering & Phishing attempts against affected individuals.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil recently discovered a post by the threat actor LeakBase, advertising the breach of the Swachhata Platform (Swachh.city).
  • The Swachhata Platform is an initiative of the Swachh Bharat Mission, in association with the Ministry of Housing and Urban Affairs of India.
  • Shared data samples contain PII such as email addresses, hashed passwords, User ID, etc.
  • 16 million user records have been compromised
  • 6 GB compromised data is being shared via a popular file-hosting platform.
[caption id="attachment_20805" align="alignnone" width="1701"]Threat actor’s advertisement on the cybercrime forum Threat actor’s advertisement on the cybercrime forum[/caption]  

Information from the Sample

The leaked data samples provided the following information:
  • Registered email addresses
  • Password hashes
  • Registered phone numbers
  • Transmitted OTP information
  • Login IP to platform
  • MAC address from user’s systems
  • Individual user tokens
  • Browser fingerprint information
 
Also read Uber’s Intranet Compromised Via Social Engineering

Threat Actor Activity and Rating

Threat Actor Profiling
Active since March 2022
Names Used LeakBase, Chucky, Chuckies, Sqlrip, etc
Reputation High (No complaints and credible reputation)
Current Status Active
History
  • Previously known from providing reliable information and data breaches from companies around the world.
  • Often operates for financial gain and conducts sales on their marketplace forum leakbase.cc.
  • Offers access to admin panels and servers of most CMSs, allegedly gained via unauthorized means and sold for monetary profit.
Rating C3 (C: Fairly reliable; 3: Possibly true)

Impact and Mitigation

Impact Mitigation
  • This information can be aggregated to further be sold as leads on cybercrime forums.
  • This information can be harvested by threat actors to conduct the following cyber attacks:
    • Phishing
    • Smishing
    • Social Engineering
  • Implement a strong password policy and enable MFA across logins.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
Also Read Missing DMARC Records Increases the Possibility of Phishing Campaigns Against Akasa Air

References

Appendix

[caption id="attachment_20806" align="aligncenter" width="1437"]A sample of the database, disclosed by the threat actor A sample of the database, disclosed by the threat actor[/caption]   [caption id="attachment_20807" align="aligncenter" width="1699"]Comment that was observed under the post Comment that was observed under the post[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations