InfoSecBulletin Cybersecurity for mankind
Millions of Bangladeshi citizens’ personal information, including full names, phone numbers, email addresses, and national ID numbers, was accidentally leaked through a government website. The breach was initially discovered by Viktor Markopoulos, a researcher employed at Bitcrack Cyber Security, who promptly notified the Bangladeshi e-Government Computer Incident Response Team (CERT) upon making the finding according to the report.
TechCrunch independently confirmed the legitimacy of the leaked data by utilizing a portion of it to query a public search tool on the affected government website. The website provided additional details from the compromised database, such as the applicant’s name and, in certain instances, the names of their parents. To ensure accuracy, TechCrunch repeated this process with ten different data sets, each time receiving correct information.
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
CVE-2023-39780
Botnet hacks thousands of ASUS routers
Bangladesh Bank instructed using AI to prevent online gambling
251 Amazon-Hosted IPs Used in Exploit Scan for ColdFusion, Struts, and Elasticsearch
Zero-Trust Policy bypass to Exploit Vulns & Manipulate NHI Secrets
Evaly E-commerce Platform Allegedly Hacked
Out of concern for ongoing data availability, TechCrunch has chosen not to disclose the name of the government website. Despite reaching out to various Bangladeshi government organizations via email to alert them of the data exposure and request comments, no responses have been received at the time of reporting.
In Bangladesh, every citizen aged 18 and above is issued a mandatory National Identity Card that assigns a unique identification number. This card grants individuals access to numerous services, including obtaining a driver’s license, passport, engaging in land transactions, opening bank accounts, and more.
Requests for comments from Bangladesh’s CERT, the government’s press office, its embassy in Washington, D.C., and its consulate in New York City have gone unanswered.
Markopoulos expressed surprise at how effortlessly he stumbled upon the leaked data, stating, “It just appeared as a Google result, and I wasn’t even intending on finding it. I was searching for an SQL error, and it unexpectedly emerged as the second result.” SQL is a language designed for managing database information.
The exposure of email addresses, phone numbers, and national ID card numbers is deeply concerning. Markopoulos also highlighted the potential risks associated with this type of information, which could be exploited to gain unauthorized access, manipulate applications, delete records, or even view the Birth Registration Record Verification within the web application.
Source: Techcrunch
