Swachhta platform hacked by Threat Actor “LeakBase”

16 Million Indian citizen’s PII compromised in massive data breach

On September 23, 2022, researchers discovered the leaked database through Cyble’s Threat Intelligence platform. The leak was shared by Threat Actor (TA) LeakBase, active on the cybercrime forum – Breach Forum. They have compromised several prominent financial institutions in India prior to this leak.

Figure 1: Screenshot from Cyble Threat Intelligence Platform

The database contained the PII (Personally Identifiable Information) of 16 million users of the Swachhata Platform (Swachh.city), a Swachh Bharat Mission initiative governed by the Ministry of Housing and Urban Affairs (MoHUA), Government of India. The platform is used to submit and follow up on municipal complaints.

The leaked data included users’ emails, usernames, passwords, mobile numbers, as well as login and OTP tokens.

Figure 2: LeakBase’s forum post at the BreachForums

Our initial observations revealed that the compromised datasets included a total of 16,457,744 records with the following header values:

id`, `username`, `user_id`, `email`, `password`, `mobile_number`, `otp`, `otp_sent_at`, `mobile_number_verified`, `mobile_number_verified_at`, `email_activation_token`, `email_activation_token_sent_at`, `email_verified`, `email_verified_at`, `remember_token`, `mac_address`, `banned`, `banned_at`, `last_login_at`, `last_login_ip`, `last_login_user_agent`, `last_login_channel`, `created_at`, `updated_at`, `deleted`, `deleted_at`, `non_verified_mobile_number`, `non_verified_mobile_number_otp`, `non_verified_mobile_number_otp_sent_at`, `otp_source`, `login_token`, `login_token_sent_at`, `comments`, `migrated_at`, `icmyc_user_id`

It is worth noting that the records in the compromised datasets consist of comprehensive information on the users registered on the impacted platform. It includes email addresses, encrypted passwords, mobile numbers, IP addresses, user-agent information, MAC address, and the ICMyC user ID of the individuals.

The compromised datasets included 101,718 unique email addresses and 15,835,111 unique mobile numbers, suggesting an indicative number of users impacted in the subject data breach by the TA LeakBase.

Figure 3: Compromised Datasets

ICMyC is a contraction for the “I Change My City” associated with a civil initiative by the non-profitable trust “Janaagraha Centre for Citizenship and Democracy.”

The same organization developed and is also responsible for managing the MoHUA’s “Swachhata-MoHUA” and various other related Swachhata Technology Platforms developed for iOS, Android, and Web users.

Further analysis of the data suggested that 5.96 GB of leaked data was stolen from a Structured Query Language (SQL) database named “swachh_manch” in the impacted database server of the impacted infrastructure.

Over the course of our research, we determined that the oldest account in the dataset was created on June 17, 2022, and the latest login was observed on May 20, 2022. This is supported by the metadata information in the SQL data dump summary, indicating that TA likely exfiltrated the data on May 20, 2022. (See Figure 4). The SQL header also revealed that the impacted infrastructure was running on outdated versions of the phpMyAdmin and the Ubuntu 16.04.1 host operating system.

Figure 4: Screenshot of the SQL Header Information in the leaked database

Possible Cause of the Compromise

Cyble’s Threat Intelligence Platform captured compromised administrator and non-administrator accounts’ login information for the phpPgAdmin web portal of the impacted infrastructure in multiple instances of the stealer malware logs from April 11, 2022. (See Figure 5)

Figure 5: Stealer logs matching the affected domains

The credentials for root, super admin, admin, and QA admin accounts were using weak password strings that were also prone to password dictionary attacks.

Figure 6: TA’s signature advertising the sale of unauthorized access to administrative panels

Overview of the Threat Actor’s Forum Activities

The TA LeakBase has been active on BreachForums since March 29, 2022, and is also a moderator on LeakBase.cc. The TA has 391 posts, including 354 threads, and has obtained a positive reputation for their leaks and alleged compromises.

Figure 7: TA’s forum profile on BreachForums

The TA has been active on the forums with regular contributions to breached databases and the sale of admin/unauthorized access to websites.

Conclusion

Our research largely indicates that these credentials were possibly compromised from the developer’s accounts which could have been the primary indicators of TA’s initial access into the compromised infrastructure resulting in the subsequent data breach.

However, the TA had earlier disclosed to our source that their primary tactic was a custom brute forcing method. According to our findings, this method appears to be a plausible attack vector for the subject data breach. The Tactics, Techniques, and Procedures (TTPs) leveraged by the TA for the intrusion mainly remain unconfirmed.

The TA LeakBase has repeatedly targeted public and private entities in India and leaked several compromised datasets on the cybercrime forum. Cyble Research and Intelligence Labs will continue to monitor the TA’s activities.

Scroll to Top