On one of the forums dedicated to hacker attacks and the sale of stolen data, reports indicate a breach of the OAuth server, which is a key component of the state authentication system. This has created a threat to all websites and systems using it as an authorization source, including universities, political parties, utility payment platforms, law enforcement agencies, and the personnel system of the Ministry of Internal Affairs.
The OAuth server was used within the framework of digital government for user identification. Preliminary information suggests that the breach has led to the leak of data from more than 15 million users.
Additionally, the system of the National Social Protection Agency (IHMA), which stored citizens' medical data, has been completely compromised. The data leak concerning the Ministry of Internal Affairs (IIV.UZ) may also be related to the breach of the OAuth server. Similar issues have affected the systems of the National Statistics Committee of Uzbekistan (STAT.UZ) and the Uzbekistan Mortgage Refinancing Company (UZMRC.UZ).
Among the leaked data are the following personal details:
- first and last name,
- residential address,
- date of birth,
- phone number,
- email address,
- passport number.
The hacker group, to confirm the existence of the stolen data, disseminated personal information of thousands of citizens. The online publication Daryo.uz reported that they have relevant files containing complete personal data, including copies of passports, medical certificates, and photographs.
The Telegram channel Kurbanoff.net clarified that this data pertains to the year 2023.
On January 31, the National Social Protection Agency announced preventive work in the "Unified National Social Protection" system. As a result, disruptions in the provision of electronic services were expected on the my.gov.uz portal until 5:00 AM on February 2.
The National Statistics Committee also issued a statement that there are no reasons for concern regarding the security of citizens' personal data related to the census. "Data is securely protected in accordance with national information security standards, and their leakage through external sources is impossible," the statement said. It was also reported that during the census, citizens' photographs were not uploaded to the database.
