InfoSecBulletin Cybersecurity for mankind
Millions of Bangladeshi citizens’ personal information, including full names, phone numbers, email addresses, and national ID numbers, was accidentally leaked through a government website. The breach was initially discovered by Viktor Markopoulos, a researcher employed at Bitcrack Cyber Security, who promptly notified the Bangladeshi e-Government Computer Incident Response Team (CERT) upon making the finding according to the report.
TechCrunch independently confirmed the legitimacy of the leaked data by utilizing a portion of it to query a public search tool on the affected government website. The website provided additional details from the compromised database, such as the applicant’s name and, in certain instances, the names of their parents. To ensure accuracy, TechCrunch repeated this process with ten different data sets, each time receiving correct information.
Intel PC, laptop and server processors affected for 6 years: Report
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Out of concern for ongoing data availability, TechCrunch has chosen not to disclose the name of the government website. Despite reaching out to various Bangladeshi government organizations via email to alert them of the data exposure and request comments, no responses have been received at the time of reporting.
In Bangladesh, every citizen aged 18 and above is issued a mandatory National Identity Card that assigns a unique identification number. This card grants individuals access to numerous services, including obtaining a driver’s license, passport, engaging in land transactions, opening bank accounts, and more.
Requests for comments from Bangladesh’s CERT, the government’s press office, its embassy in Washington, D.C., and its consulate in New York City have gone unanswered.
Markopoulos expressed surprise at how effortlessly he stumbled upon the leaked data, stating, “It just appeared as a Google result, and I wasn’t even intending on finding it. I was searching for an SQL error, and it unexpectedly emerged as the second result.” SQL is a language designed for managing database information.
The exposure of email addresses, phone numbers, and national ID card numbers is deeply concerning. Markopoulos also highlighted the potential risks associated with this type of information, which could be exploited to gain unauthorized access, manipulate applications, delete records, or even view the Birth Registration Record Verification within the web application.
Source: Techcrunch
