Team PARANOID CODEIN Releases Database Leaks Along with XSS & SQLi Vulnerabilities Effecting 7 Brasilian Websites

Every now and again I come across some truly unique leaks, such as was the case yesterday. This is when I cam across a string of leaks posted by a hacker going by the name of “Etico Kartovy,” uncovered by a group of hackers going by the name of “Team PARANOID CODEIN” – aka “PCOD Team.” The leaks provided below are unique in that only some provide any actual data uncovered from within websites, instead choosing to publish the vulnerabilities of certain websites and how they can be exploited via “Cross-Site Scripting Attacks” (XSS) or “SQL Injection” (SQLi). These are the first such leaks of their kind I have ever come across, and there were se7en of them at that.

Effected by the data breaches provided below are the Hospital of Santa Casa, the Institute of Lands of the State of Piauí, Ligas Acadêmicas of the Federal University of Uberlandia, the Union of the Administrators of the Federal District of Sinda, the website of Support for Aquaculture, Brasil, the Federal Saving Bank of Caixa and the Interlegis Program, a Brasilian based political news outlet.

Website: hxxp://santacasacm.org.br
Raw Data Leak:

Website: hxxp://www.interpi.pi.gov.br
Raw Data Leak:

Website: hxxp://cardioliga.famed.ufu.br
Raw Data Leak:

Website: hxxp://www.sinda.org.br
SQL Injection Methodology:

Website: hxxp://sc-aqua.com.br
SQL Injection Methodology:

Website: hxxps://sidmfextrato.caixa.gov.br/
XXS Vulnerability:

Website: hxxp://www.interlegis.leg.br
SQL Injection Methodology:

Partido Democrático Traballhista (PDT) Hacked by Etico Kartovy, Account Credentials of 19 Party Politicians Leaked Online

Earlier this morning, January 23rd 2019, an independent hacker going by the name of “Etico Kartovy” announced a hack and data leak effecting the Democratic Labor Party (PDT) of Brasil. Included in the leaked data provided below are the login email addresses, usernames and passwords of 4 site administrators, granting full access to databases tied to the websites back-end, as well as Personal Identifiable Information (PII) on 19 high profile politicians belonging to the Party. This includes information such as the politicians personal email addresses, telephone numbers, user names and encrypted passwords used to log into their official accounts through the PDT web portal – providing direct access to any/all information they have uploaded or transmitted there.

It remains unclear is this hack was politically motivated or carried out as the random act of a vigilante hacker. What we do know is that Etico Kartovy says he is not finished, and that a much larger leak from the party is expected in the near future. In his Tweet first announcing the leak he even said as much, stating “wait for more, still not finished” – while inviting some of his online friends to join him in the festivities. This is also the second such large scale hack/leak effecting Brasilian political parties over recent months, adding to a comprehensive hack/leak of the Republican Party of Brasil on November 24th 2018.

Democratic Labor Party of Brasil: hxxp://pdtap.org.br/
Raw Data Leak: https://ghostbin.com/paste/ox7hy

Admin Credentials Leak:

No photo description available.

No photo description available.

Politicians Leak:

No photo description available.

Backup of Leak from Republican Party 11/24/2018:

[pdf-embedder url=”https://roguemedia.co/wp-content/uploads/2019/01/gho_fin.pdf”%5D

Full Story of Republican Party Hack: https://roguemedia.co/2018/11/24/republican-party-of-brasil-hacked-databases-leaked-online/