Swachh City platform hacked, data of 16 million users leaked

A threat actor called LeakBase shared a database containing Personal Identifiable Information (PII) such as email addresses, hashed passwords, User ID etc, belonging 16 million users of the Swachh City platform — swachh.city, an initiative of the Swachh Bharat Mission in association with the Ministry of Housing and Urban Affairs.

The data, which is 1.25 gigabytes in size, was leaked on a popular file-hosting platform and was discovered by CloudSEK’s Threat Intelligence Team.

The hacker usually goes by monikers such as LeakBase, Chucky, Chuckies, and Sqlrip on underground forums. It is understood that LeakBase often operates for financial gain and conducts sales on its marketplace forum leakbase.

Analysis of the Data
From the data sample that was disclosed by the threat actor to substantiate his claim, researchers were able to assess the following information:

• Registered Email Addresses
• Password Hashes
• Registered Phone Number
• Transmitted OTP Information
• Login IP — to platform
• MAC Address from user’s systems
• Individual user tokens
• Browser Fingerprint information

CloudSEK’s researchers understand that if this information falls into the wrong hands, threat actors can glean and harvest more PII information from affected individuals.

LeakBase also offers access to admin panels and servers of most CMS (Content Management Systems). These accesses are gained through unauthorized means and are sold for monetary profit.

What does this mean for affected individuals?
As personal details such as phone numbers and email addresses are advertised for sale, there is a strong possibility of it being used against the users which the data belongs so.

“This data can be leveraged by other threat actors to conduct large-scale cyber attacks such as phishing, smishing, social engineering, and even identity theft. We recommend that users affected by this leak check for unusual activity on their Swachh.city accounts and other banking and email accounts as well. As a precaution, they should also change their passwords and enable multi-factor authentication,” suggests Rahul Sasi, Co-founder and CEO, CloudSEK.

It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence. This information can be aggregated to further be sold as leads on cybercrime forums. Social Engineering & Phishing attempts against affected entities or individuals.

To keep themselves safe, users can implement a strong password policy and enable MFA (multi-factor authentication) across logins, patch vulnerable and exploitable endpoints, monitor for anomalies in user accounts which could indicate possible account takeovers and monitor cybercrime forums for the latest tactics employed by threat actors. CNBCTV18