Details of 44m Pakistani mobile users leaked online, part of bigger 115m cache

The leak is already under investigation in Pakistan since last month, April 2020.

india-pakistan-phone.jpg

Image: Annie Spratt

The details of 44 million Pakistani mobile subscribers have leaked online this week, ZDNet has learned.

The leak comes after a hacker tried to sell a package containing 115 million Pakistani mobile user records last month for a price of $2.1 million in bitcoin.

ZDNet has obtained copies of both data sets. We received the entire 44 million records released online today, but we also received a sample of 55 million user records that were part of the 115 million data dump. Based on the data sets, we can conclude that the two are the same.

According to our analysis of the leaked files, the data contained both personally-identifiable and telephony-related information. This includes the likes of:

  • Customer full names
  • Home addresses (city, region, street name)
  • National identification (CNIC) numbers
  • Mobile phone numbers
  • Landline numbers
  • Dates of subscription

The data included details for both Pakistani home users and local companies alike.

Details for companies matched public records and public phone numbers listed on companies' websites. In addition, ZDNet also verified the validity of the leaked data with multiple Pakistani users.

mobilink-sample.png

Image: ZDNet

Based on the dates of subscription, the oldest entries in the leaked files are from late 2013, suggesting that hackers either got their hands on an older backup file, or the breach took place in 2013, and only now surfaced online.

The vast majority of entries in the leaked files contained mobile phone numbers belonging to Jazz (formerly Mobilink), a Pakistani mobile operator. However, ZDNet also identified phone numbers that appeared to belong to other mobile operators.

As a result, we could not conclude based on actual and tangible evidence that the data was taken from Jazz servers. Currently, it is unclear if the data came from Jazz itself, a government organization, a Jazz partner, or a telemarketing firm.

A Jazz spokesperson did not reply to a request for comment; however, the company previously disputed that the data came from its servers.

The incident is already under investigation in Pakistan, where the Pakistan Telecommunication Authority (PTA) and the Federal Investigation Agency (FIA) are looking into the matter since last month when a hacker first tried to sell the entire 115 million batch on a hacker forum.

Threat intelligence company Rewterz, which first spotted the April forum ad and analyzed data samples, also concluded that the data was real, and also avoided directly blaming Jazz, lacking any evidence.

r-april.png

Image: Rewterz