Hackers Continue to Leak Alleged Gosuslugi User Data

Hackers who last week published 5,000 lines of data allegedly obtained from the Gosuslugi portal database have continued to leak more information. This time, an additional 2,000 lines were published, dated from January 2, 2022, to September 30, 2022.

According to experts from Data Leakage & Breach Intelligence (DLBI), who reported these incidents, the data was likely obtained by brute-forcing user identifiers in the Unified Identification and Authentication System (ESIA). Experts remind us that at the end of last year, it became known that the source code of the Regional Gosuslugi Portal of the Penza region had been leaked, and these sources contained keys to certificates used for accessing ESIA.

DLBI analysts write that the new leak, which occurred over the past weekend, contains the same types of data as the first leak:

• Full names
• Email addresses
• Phone numbers
• Gender
• Dates of birth
• Registration and actual residential addresses
• Passport details (series, number, issuing authority, and date of issue)
• SNILS (Russian pension insurance number)
• INN (taxpayer identification number)

It is worth noting that after the first leak, representatives of the Ministry of Digital Development denied any breach of Gosuslugi users’ personal data. At that time, the ministry commented:

“We deny information about a data leak from Gosuslugi. A fragment of an alleged Gosuslugi user database containing 5,000 records appeared online. We checked this file and found that it does not contain the set of parameters that are always present in standard Gosuslugi accounts. User account credentials (logins and passwords) were not compromised, and the information is securely protected. According to the security service, this database belongs to one of the external online systems that uses simplified user identification via Gosuslugi. This system does not have direct access to the full set of user data.”