Private data belonging to over 350 citizens in Bengaluru, India has been leaked on the dark web after the websites of Karnataka State Police and Bengaluru City Police were hacked in 2016.
The leaked data from the websites include names, phone numbers, email addresses, residential addresses, passport numbers as well as birthdates.
Furthermore, the hack targeting the Karnataka State Police also led to the leak of email addresses, passwords and other account information of police officers in the public domain.
The discovery was made by CyberSafe, a private cybersecurity company based in Bengaluru.
The founder and CEO of the firm, Gagan Jain, stated that his staff discovered the data dump while they were conducting searches using keywords like Bengaluru and Karnataka on the clearnet and the darknet for information regarding terrorist activity.
He also stated that they were able to extract only one file containing data of around 382 Bengaluru citizens, further alleging that there could be infinite such files on the dark web.
It Could Have Been Averted
A couple of months prior to the hack in 2016, Jain outlined to senior police officials the vulnerability of the Bengaluru city police website to a SQL injection attack.
SQL injection is a common hacking technique in which attackers feed a website malicious payloads (malicious SQL statements) that will be included as part of the SQL query, in order to infiltrate the website’s database server.
In a statement about the leak, Gagan Jain stated that after accessing the website’s portal and server, the hacker(s) would also have gained access to the entire database—thereby having all information stored on the database at their fingertips.
Further, in the statement, he said that during the extraction of the data they discovered information gathered by traffic officials, verifications details of workers as well as logins and passwords data of various police stations purported to be from the Bengaluru City Police website.
Leaked Data Prone to Abuse
Cybersecurity experts believe the data may be used to impersonate anyone whose details are found in the data dump, in turn using the details in illegal activities like drug trafficking, or even opening bank accounts to fund terror activities or launder money.
After the hacks in 2016, the cybercrime police stated that Karnataka State Police hack was orchestrated by an individual under the pseudonym Faisal 1337, an alleged member of the Team Pak Cyber Attackers.
Authorities also purported that Pakistani and Chinese hackers aided in the breach, saying that IP addresses and URLs were traced back to a region close to Shanghai, China.
Upon further investigations, the police were able to link the Chinese connection to Lahore, Pakistan.
Furthermore, a report by the Indian Computer Emergency Response Team (CERT-In) stated that around 35 percent of cyberattacks targeting Indian websites are sourced from China.
But its neighbor, Pakistan, is only subjected to 9 percent of the targeted attacks.
Latest posts by Sir Julio (see all)
- Researchers Reveal Suspect Behind Collection #1 Mega Breach - February 15, 2019
- Tor Project Continues to Receive Donations - February 7, 2019
- 773M Email Addresses and 21M Passwords Exposed in Data Dump - January 29, 2019