User names, emails, passwords, mobile numbers, OTP-related information, and login IPs. And hacked unique user tokens are among the Swachhata City data. On Friday, September 23, a threat actor going by the handle LeakBase posted a 6GB data dump containing the private information of 16 million customers from the Swachhata Platform users. The data was leaked on BreachForums (a database trade network widely utilized by cybercriminals).
Swacch City a Swachh Bharat Mission project, is a mobile and web application that aids municipal corporations from 4041 towns. They resolve complaints and issues with citizens across the nation.
User names, user IDs, email addresses, passwords, mobile numbers, and information relating to OTPs and hacked crucial login credentials.
In a report given to ETCISO by CloudSEK experts, they claimed that access to the server would give the threat actor the knowledge needed to carry out sophisticated ransomware operations, exfiltrate data, and maintain persistence.
They issue a warning that the exposed data may also be combined and sold as leads on other online forums for crimes. Users who have been compromised run the danger of becoming the victims of phishing and social engineering scams thanks to the data.
LeakBase also provides access to the admin panels and servers of the majority of Content Management Systems, or CMS, according to CloudSEK researchers. They continued that they obtained these accesses unlawfully and sold them for financial advantage.
The Ministry of Housing and Urban Affairs, the organization in charge of Swachh City, has yet to respond or confirm the occurrence to ETCISO.
What was compromised
From the data sample disclosed by LeakBase, CloudSEK researchers found the following compromised pieces of information:
- Registered email addresses of users
- Password hashes
- Registered phone numbers
- Transmitted OTP information
- Login IP to the platform
- Mac addresses from users’ systems
- Individual user tokens
- Browser fingerprint information
- LeakBase – an old hand in the leaked data trade
Researchers from CloudSEK claim that the adversary posts as LeakBase, Chucky, Chuckies, and Sqlrip on darknet forums. “They have a proven track record of giving accurate information in the past. They have extreme skilled in disseminating data breaches from international businesses.
LeakBase was a key threat actor on the now-closed RaidForums and ran the website LeakBase.cc, a platform for finding data leaks of all kinds. According to a report by Israeli cybersecurity research leader, KELA.
LeakBase said that shutting down in 2017 after receiving criticism from the government. But according to KELA researchers, the threat actor has recently begun to “frequently distribute collections of different databases.” LeakBase also distributes hundreds of fresh SQL databases to stores and businesses around the world.
LeakBase joined the market in March 2022, and according to its account page on BreachForums, it has already attained God status”. A rank attained via representatives earned by selling authentic user data leaked from businesses or their hacked personnel.
According to the KELA investigation, LeakBase released a collection of 50 databases on the database trading website Breached. Which is a favourite of cybercriminals.
Mitigation
It is safer for users to reset their passwords because neither Swacch City nor the Ministry of Housing and Urban Affairs has yet released an advisory. Researchers at CloudSEK advise implementing a strong password policy and turning on MFA, or multi-factor authentication.
Users must also patch insecure and exploitable endpoints and keep an eye out for user account oddities, which are a reliable sign of potential account takeovers.
