Nearly a million South Africans have had their personal data leaked.
The datasets contain ID numbers, cell numbers, full names, surnames, email addresses and – most worryingly of all – passwords that were stored in plain text. The data was provided by an anonymous source who said it was taken off a public server that belongs to a company that handles the online payment of traffic fines in South Africa.
“The person who sent me the link [to the data] did so through via a hacking site used for distributing material,” Hunt told The Citizen. “I don’t know whether they put it there, or if they just found it. In a way it doesn’t matter – the data is out there and in circulation.”
Hunt said he had identified website ViewFines.co.za as the source of the leak.
“The website provides secured access to all outstanding offences issued by the listed Municipalities which were registered against your ID number,” a statement on the ViewFines landing pages reads.
“The registration provides you absolute security, and access is only allowed by ID and your personal password. No other member of the public can access your outstanding offence information.”
Using a free service called Mailinator, Hunt says he was able to send himself password resets using the email addresses contained in the leak via the ViewFines site.
“The element that makes [this leak] worse is the ‘plain text’ passwords,” Hunt said. “The reason this is a risk is that there are hundreds of thousands of email/passwords pairs that have been exposed, that will likely match accounts on other sites – such as eBay or Amazon or iTunes.”
“Lately, over the last six months, there has been a real uptick in malicious account takeovers,” Hunt said. “This is made possibly by people using the same email and password across multiple accounts.”
The ViewFines leak comes less than a year after the personal data of 60 million South Africans was discovered in a forward-facing server, available to anyone with the know how to help themselves.
Anyone who thinks they may have been affected is urged to change their passwords as soon as possible. They can also use Hunt’s site, HaveIBeenPwned, to check whether their email address has been compromised.