Swachhata municipal engagement platform breached, researchers say

A threat actor going by the name LeakBase has exposed sample data of personally identifiable information (PII) of millions of users of the Swachhata citizen engagement platform, according to cybersecurity firm CloudSek.

The Swachhata platform is an initiative of the Swachh Bharat Mission in association with the Ministry of Housing and Urban Affairs. On the swachh.city website, users can post complaints to their respective city administrations. The website also gives monthly ratings of cities in terms of grievances resolved and engineers’ performance. 

“On Friday, September 23, a sample data was posted on dark web forums which contained personally identifiable information of users of the Swachhata platform. While it doesn’t seem like the whole database is made public, some of it is,” said Rahul Sasi, co-founder and CEO of CloudSek.

LeakBase often operates for financial gain and conducts sales on its marketplace forum, leakbase.cc, researchers said. The attackers have not, however, mentioned if the information is for sale, or put any price on the data. “It seems like the information is available for free,” Sasi added. 

While it is not clear how the attack was conducted, Sasi said it was likely that a web-based security vulnerability or API-based vulnerability was exploited.  

What Swachhata data was exposed? 

Personal information such as remail addresses, password hashes, phone numbers, transmitted OTP (one-time password) information, login IP to the platform, MAC addresses from users’ systems, individual user tokens, and browser fingerprint information of approximately 16 million users has been exposed, CloudSek noted. 

The information is contained in a 1.25GB database hosted on a popular file-hosting platform. 

If this information falls into the wrong hands, threat actors can glean and harvest more PII information from affected individuals, the researchers noted. LeakBase also offers access to admin panels and servers of most CMSes, which are gained through unauthorized means and are sold for profit, according to the researchers.

Potential impact of the Swachhata breach

The breach can be used by malicious actors to, among other things, launch sophisticated ransomware attacks and exfiltrate data, according to CloudSek. This information can be aggregated and sold as leads on cybercrime forums. Social engineering and phishing attempts against affected entities or individuals could also be initiated. 

As a mitigation process, CloudSek advices users to implement a strong password policy and enable MFA (multifactor authentication) across logins. It also advises that vulnerabilities and exploitable endpoints be patched.

Ministry of Housing and Urban Affairs representatives were not immediately available for comment.