A Tier 0 data exposure event has hit the Khyber Pakhtunkhwa (KP) Provincial Government in Pakistan, with a threat actor publishing a raw SQL/CSV dump of the iams.kp.gov.pk administrative portal on a monitored hacker forum. The leak, confirmed by Brinztech threat intelligence on 16 April 2026, was offered free of charge and exposes the internal user registry of the province's Information and Advertisement Management System.

What Happened

A threat actor published a complete database dump of the internal user registry powering iams.kp.gov.pk, the portal believed to manage information and advertisement workflows for the KP provincial government. The data was made freely available on a monitored underground forum, removing any monetization barrier and dramatically broadening the pool of potential abusers. Analysis of the sample confirms a backend compromise of the public relations and media management department, exposing the operational hierarchy that controls government communications across the province.

What Was Taken

The exfiltrated dataset includes privileged authentication metadata such as system usernames (LOGIN_NAME), internal privilege levels (USER_LEVEL), and password hashes stored in the legacy MD5 format (LOGIN_PASS). High-fidelity identity records expose full names of government personnel paired with their official designations, including senior roles such as DG Information, Director Public Relations, Assistant Director I.T, and XEN. The dump also includes operational mapping data: department and office identifiers (DEPTT_ID, OFFICE_ID), as well as direct linkages to national media outlets and bureau chiefs at outlets including Mashriq, Aaj, and Awaz-e-Shehar.

Why It Matters

This breach is not a routine credential leak. The combination of crackable MD5 hashes, named senior officials, and mapped media relationships hands adversaries a turnkey kit for state-level disinformation operations. A successful login as DG Information or Admin IT would allow an attacker to push fraudulent press releases or manipulate state advertisements through legitimate government channels, with downstream amplification through the listed media bureaus. For a province sitting on a sensitive border region, the strategic value of such access to foreign intelligence services is significant.

The Attack Technique

The initial access vector has not been confirmed, but the exfiltration of an intact core user table is consistent with a SQL injection flaw in the iams.kp.gov.pk application layer or, alternatively, a misconfigured database service exposed to the public internet. The continued use of unsalted MD5 password hashing indicates the underlying application predates modern secure development practices and has not been refactored, suggesting broader hygiene issues across the .gov.pk estate.

What Organizations Should Do

  1. Force an immediate password reset for every account in the iams.kp.gov.pk user table and any account where credentials may have been reused on adjacent .gov.pk properties.
  2. Migrate authentication storage from MD5 to a modern adaptive hash (Argon2id or bcrypt with appropriate cost) and enforce mandatory MFA for all administrative roles.
  3. Conduct a full SAST/DAST and authenticated penetration test against the IAMS application, prioritizing SQL injection, broken access control, and exposed admin endpoints.
  4. Monitor for spear-phishing activity targeting the named officials, particularly messages impersonating internal IT or press desk workflows.
  5. Deploy WAF rules and database activity monitoring on all internet-facing .gov.pk applications, with alerting on bulk SELECT operations against user tables.
  6. Engage with listed media partners (Mashriq, Aaj, Awaz-e-Shehar) to establish out-of-band verification procedures for any press releases or advertisement requests originating from the portal.

Sources: Khyber Pakhtunkhwa Government (KP.GOV.PK) Admin Database Leak