A South African database containing sensitive personal data, which appears to have originated from a traffic fine platform, has been leaked online.
The information contained in the leak includes names, ID numbers, email addresses, and passwords stored in plain text of 934,000 South African citizens.
Security researcher Troy Hunt – who runs Have I Been Pwned? – worked with iAfrikan Digital founder Tefo Mohapi on the leak.
Mohapi explained that the database had close to 1 million personal records and was “discovered on a public web server that belongs to a company that handles electronic traffic fine payments in South Africa”.
He said iAfrikan was able to view the publicly-available database, and it may be a case of negligence regarding the safety of the data.
According to Mohapi, it appears that a backup of the sensitive data was saved in a directory which was publicly accessible.
Mohapi said he notified the relevant authorities, including the Hawks and the NPA Cybercrime Unit, before publishing the report on iAfrikan.
“If you have ever registered on any system online that allows you to receive notifications and pay for traffic fines, it is best you go change your password,” he said.
“[The leaked data] will be searchable in Have I Been Pwned? tomorrow. Sorry South Africa, that’s another one for you,” said Hunt.
Hunt is referring to a separate database leaked in October 2017, known as the Master Deeds leak, which contained the private data of millions of South Africans.
The October 2017 data leak contained the ID numbers, contact details, addresses, and income estimates of 60 million South Africans, which include deceased citizens.
Information used by criminals
While many people may not view such a leak as posing a serious risk to them, this is a mistake.
SensePost CTO Dominic White previously showed how leaked information like ID numbers and personal information can be used to gain access to a person’s financial accounts.
White used the personal details obtained through the Master Deeds leak to gain full access to a coworker’s account at a financial institution.
This was done by exploiting the publicly-available information of the coworker and a weak contact centre security procedure.
The fact that the latest leak contains plain-text passwords causes additional problems, as many people use one password on multiple platforms.