ShellCodeX Breach Report
eThekwini Municipality Data Breach
eservices.durban.gov.za
Verified breach
Passwords exposed
Accounts exposed
81,830
Breach date
07 Sep 2016
Added to tracker
15 Sep 2016
Data classes
11
What happened
In September 2016, the new eThekwini eServices website in South Africa was launched with a number of security holes that lead to the leak of over 98k residents' personal information and utility bills across 82k unique email addresses. Emails were sent prior to launch containing passwords in plain text and the site allowed anyone to download utility bills without sufficient authentication. Various methods of customer data enumeration was possible and phishing attacks began appearing the day after launch.
Exposed data
Dates of birth
Deceased date
Email addresses
Genders
Government issued IDs
Names
Passport numbers
Passwords
Phone numbers
Physical addresses
Utility bills
Recommended actions
- Change your eThekwini Municipality password immediately, and update it anywhere you reused the same password.
- Enable two-factor authentication on the affected account and on your critical services (email, banking).
- Watch for targeted phishing emails referencing eThekwini Municipality — attackers weaponise breach data quickly.
- Stay alert for smishing (SMS phishing) and SIM-swap attempts using your phone number.
- Exposed identity data raises identity-theft risk — consider credit monitoring or a credit freeze.
Am I affected?
Check whether your email address appears in this breach.
Check on HIBP