OpsIndia BSNL Hack Leaks Millions of Identity Records

OpsIndia Hacked BSNL Tweet
OpsIndia Taunts BSNL on Twitter

Bharat Sanchar Nigram Limited (BSNL) is an Indian state-owned business that offers Telecomm and Data Services in New Delhia. The Anon group claiming responsibility, OpsIndia, publicly shamed the BSNL for storing passwords in plain text and poorly securing databases when they left a message on the BSNL website. The pages have since been taken down, however OpIndia continues posting and answering questions on Twitter.

The OpsIndia BSNL hack and the website defacing preceded the group’s access to the government PAN database. The database is a listing of codes for individual and corporate identification numbers, like social security numbers in the US.

When the government stops listening to the people, it’s time to wake them up, – Wrote the hacktivists.

There will be no #DigitalIndia until and unless government of India stops their surveillance projects & make their systems secure.WARNING : BSNL admin, patch up your site. You have stored Passwords in plain text. Shame! Is this your #DigitalIndia? We also have access to all BSNL databases now. No data on the server was tampered though. But we have taken a copy of all your databases. Patch up before the chinese get their hands on this. It’s a goldmine.

The BSNL hack is part of a string of take downs and hacks over the past seven days. The hackers took responsibility for three breaches. The first hack targeted a government website for the coal sector in India. “Expect us, Nazi”, they tweeted to Ravi Shankar Prasad, India’s Communications and Information Technology Minister. “WE HAZ UR COAL MINE SCAMMERS.”

OpsIndia BSNL Hack Website

The group revealed its method of obtaining access to the government servers on its blog.

It was an sql injection on one of the .gov.in | We won’t tell which one

They also made a number of points aimed at “clearing the air” over the breach:

Also read: Anonymous Member to be Prosecuted

  1. No data was tampered. Everything was left as it is on the government server.
  2. We did not dump PANs of individuals. We just looked into corporate PANs. See proof in tweets below. That too over 2000+ corporate PANs were dumped.
  3. No data was leaked or hosted anywhere. It was always on the local drive of one of the anon and he removed right after we showed the proof of the hack.
  4. This was done to let people know that Indian government is not ready for storing any data online. The security breaches will happen again & again until they agree to get a security audit done of every gov site/app. The report of the security audit should be open for public review if gov wants to gain some trust of the people.
  5. If our intentions would have been wrong with this hack, then we would have simply not disclosed it to the people. We would have used this goldmine of email IDs & identities for our benefit. We ain’t blackhat. Think what the chinese hackers would do with that data just like it happened in America with OPMHack.

The OpsIndia BSNL hack appears to be politically motivated. It describes itself as “Anonymous India” and seems to be inspired by the major hacktivist group. The hacks are in response to India’s position on net neutrality and the way the government is handling Digital India – the Indian government’s attempt to integrate government services with the web to ensure citizens have electronic access to its departments. The project is slated for completion in 2019.

 Images from JustinLing.