A Tier 0 data exposure event has hit the Khyber Pakhtunkhwa (KP) Government in Pakistan, with a threat actor publishing a raw SQL/CSV database dump of the iams.kp.gov.pk portal on a monitored hacker forum. The leak, confirmed by Brinztech threat intelligence on 16 April 2026, was offered for free and exposes the administrative backbone of the province's Information and Advertisement Management System.

What Happened

A threat actor exfiltrated and published the internal user registry of the iams.kp.gov.pk portal, the Information and Advertisement Management System used by the Khyber Pakhtunkhwa provincial government. The dump was released openly on a monitored underground forum at no cost, signalling either a reputation play by the actor or an intent to maximise downstream abuse. Sample analysis confirms a complete backend database compromise of the public relations and media management department's administrative hierarchy.

What Was Taken

The exposed dataset includes privileged authentication metadata such as core system usernames (LOGIN_NAME), internal privilege levels (USER_LEVEL), and password hashes (LOGIN_PASS) stored in the legacy and trivially crackable MD5 format. High-fidelity identity records cover full names of government personnel and their official designations, including DG Information, Director Public Relations, Assistant Director I.T, and XEN. Operational context fields, including DEPTT_ID and OFFICE_ID mappings, link the records to external national media outlets and bureau chiefs at Mashriq, Aaj, and Awaz-e-Shehar.

Why It Matters

This is not a routine credential leak. The dataset hands adversaries a full org chart of the KP government's communications apparatus, paired with crackable hashes for the very accounts that authorise public statements. Any actor who recovers the "Admin IT" or "DG Information" credentials could hijack the portal to push fraudulent press releases, manipulate state advertisements, or seed disinformation through legitimate national media pipelines. For a province sitting on a sensitive geopolitical frontier, the influence-operations potential rivals the direct intrusion risk.

The Attack Technique

Brinztech's analysis indicates the exfiltration of an entire user table is consistent with an unpatched SQL Injection (SQLi) vulnerability or severely misconfigured access controls on the .gov.pk portal. The persistence of MD5 password hashing further suggests the application stack has not received meaningful security hardening in years, leaving multiple layers of the trust chain weak simultaneously.

What Organizations Should Do

  1. Force an immediate password reset for every account in the iams.kp.gov.pk user registry and any account reusing those credentials across .gov.pk infrastructure.
  2. Migrate password storage from MD5 to a modern, salted, memory-hard algorithm such as Argon2id or bcrypt with appropriate work factors.
  3. Audit all .gov.pk web applications for SQL Injection and broken access control using both SAST and authenticated DAST scans, then patch identified flaws on priority.
  4. Deploy multi-factor authentication on all administrative portals, particularly those tied to public communications and media workflows.
  5. Brief named officials in the leaked dataset on heightened spear-phishing risk and enable email authentication controls (DMARC, SPF, DKIM) at enforcement.
  6. Engage media partners listed in the dump to validate inbound communications out-of-band before publication, blocking disinformation pivots.

Sources: Khyber Pakhtunkhwa Government (KP.GOV.PK) Admin Database Leak