A cybercriminal offered root access to the Bangalore Water Supply and Sewerage Board’s database for just Rs. 41,500 exposing sensitive information of more than 2,90,000 citizens.
An investigation reveals how a simple misconfiguration — an exposed .env file — led to the breach, highlighting the growing dangers of poor cybersecurity hygiene in public utilities.
A Price Tag on Public Trust: How the Breach Was Discovered
In early April 2025, cybersecurity researchers came across a chilling post on an underground forum. A threat actor operating under the alias pirates_gold had offered direct root access to the Bangalore Water Supply and Sewerage Board’s (BWSSB) database — and the price was shockingly low: Rs. 41,500.
The advertisement, claimed access to over 291,212 user records including full names, Aadhaar numbers, complete addresses, emails, and phone numbers. Alarmingly, pirates_gold seemed eager to sell, hinting at a willingness to accept lower offers in private negotiations.
During direct engagement with the actor, researchers found evidence that the breach stemmed from an exposed subdomain (owc.bwssb.gov.in), hosting an administrative portal with an improperly secured Adminer tool — a database management interface. Even more critically, an .env configuration file containing plain-text MySQL database credentials was left publicly accessible, effectively handing over the keys to BWSSB’s digital kingdom.
Though the exposed file and credentials were later taken offline, the damage had already been done. The attacker claimed to have installed a backdoor, although CloudSEK has not independently confirmed ongoing access.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Inside the Breach: Anatomy of the Failure
This investigation paints a grim picture of neglected cybersecurity fundamentals at a critical public utility.
The exposed .env file — a basic configuration file often used to store secret credentials allowed pirates_gold to validate root access using the same username and password found within it. Combined with the openly available Adminer interface, this access granted the threat actor unrestricted control over the database.
Analysis of the data tables confirmed the compromise of payment records, application details, grievance logs, and sensitive PII (Personally Identifiable Information) of over 290,000 applicants a goldmine for cybercriminals looking to launch phishing attacks, commit identity fraud, or even disrupt public services.
CloudSEK’s threat intelligence also revealed that pirates_gold is a moderately active member of notorious cybercrime forums, previously linked to breaches in healthcare, finance, e-commerce, and even government sectors across multiple countries.
The modus operandi involved three main profit strategies:
- Selling root-level access to organizations’ databases.
- Monetizing data dumps via underground forums.
- Offering access brokerage for financial gains.
The breach of BWSSB adds another troubling chapter to an expanding list of targets.
Fallout and Urgent Need for Reform
The ramifications of this breach extend beyond stolen data; it shakes public confidence in essential urban infrastructure, particularly as Indian cities race toward “smart city” transformations.
Given the nature of the stolen data detailed profiles tied to government services citizens of Bengaluru are now vulnerable to highly targeted social engineering and fraud. Attackers equipped with accurate PII can craft convincing scams, potentially leading to financial losses or more sinister exploitation.
CloudSEK has strongly recommended that BWSSB undertake immediate damage control steps, including:
- Comprehensive security audits to detect residual threats or backdoors.
- Revocation and rotation of all exposed credentials.
- Restricting access to administrative interfaces, ensuring they are never publicly exposed without robust access controls such as VPNs or IP whitelisting.