ShellCodeX
Tools • Events • News • Insights
ShellCodeX Breach Report

eThekwini Municipality Data Breach

eservices.durban.gov.za
Limited exposure
Verified breach Passwords exposed
Accounts exposed 81,830
Breach date 07 Sep 2016
Added to tracker 15 Sep 2016
Data classes 11

What happened

In September 2016, the new eThekwini eServices website in South Africa was launched with a number of security holes that lead to the leak of over 98k residents' personal information and utility bills across 82k unique email addresses. Emails were sent prior to launch containing passwords in plain text and the site allowed anyone to download utility bills without sufficient authentication. Various methods of customer data enumeration was possible and phishing attacks began appearing the day after launch.

Exposed data

Dates of birth Deceased date Email addresses Genders Government issued IDs Names Passport numbers Passwords Phone numbers Physical addresses Utility bills

Recommended actions

  • Change your eThekwini Municipality password immediately, and update it anywhere you reused the same password.
  • Enable two-factor authentication on the affected account and on your critical services (email, banking).
  • Watch for targeted phishing emails referencing eThekwini Municipality — attackers weaponise breach data quickly.
  • Stay alert for smishing (SMS phishing) and SIM-swap attempts using your phone number.
  • Exposed identity data raises identity-theft risk — consider credit monitoring or a credit freeze.
Am I affected? Check whether your email address appears in this breach.
Check on HIBP