Hacked List of 91 Million Mexican Voters to Sell to Highest Bidder

Photo: Google


A filtered list with personal data on 91 million Mexican registered voters hackled from the National Electoral Institute (INE) has been made public on the World Wide Web according to cybersecurity specialists.

According to the daily newspaper Reforma, an unidentified internet user claims to have the complete database, updated through 2021, in his possession.

The database allegedly contains the personal information of all 91 million registered voters, including their date of birth, full name, address, gender and Individual National Identification (CURP).

“I reviewed the data that the internet user put into evidence, which was about 99,000 names, and, based on the ones that I reviewed, the list seems to be authentic,” Hiram A. Camarillo, the cofounder and director of the private-sector cybersecurity group of Seekurity told Reforma.

According to Camarillo, the hacked database has records from all Mexican states, and whoever uploaded it to the internet could have been marketing or giving away these files since as far back as 2018.

“The information he has shared has been true in the past, so it is very likely that the leaked data from the INE is correct,” Camarillo said.

Camarillo warned that the scope of this case could imply a greater vulnerability in the INE’s systems.

“If someone exploited a vulnerability that allows a complete database to be extracted, we are talking about a very big security problem because that takes a long time to extract that much data,” he said.

“Maybe you extract record-by-record and that may take anywhere from minutes to hours tp days. Perhaps the information was extracted at a rate of 100 records per minute, but even still, we are talking about 91 million records.#

Camarillo said that if the INE never realized that the information was taken, “it does not have adequate protection tools or no one was monitoring the information.”

“Another possibility it that  someone inside the INE extracted the data,” he said.

The INE will now have to hire an independent monitoring system to identify how far the database hack reached and how it was used.

Some documents that could be obtained with the data exposed in the database are the covid-19 vaccination files, birth certificates and registries of professional certificates, he said.

The data could also be used to falsify voter credentials or carry out more targeted phishing campaigns.

The user who claims to have the database is allegedly asking for a $2,500 fee to release the full list.

“A few hours ago, they wanted $750, then they raised their fee to $1,000. And now they want $2,500,” said Victor Ruiz, head of the Silink cyber firm.

“The person who published the first 99,000 names said that they  will continue to raise the price until someone buys it.”


Leave a Reply