A dataset allegedly tied to Uruguay's National Directorate of Civil Identification (DNIC) is reportedly being circulated freely across dark web forums, containing approximately 5.8 million citizen records. The figure exceeds Uruguay's national population of roughly 3.5 million, suggesting the trove includes historical records and individuals born as recently as early 2020. While authenticity remains unverified, the scale and free redistribution model make this one of the most consequential identity exposure allegations in the country's history.
What Happened
Threat intelligence accounts monitoring underground forums began flagging the alleged DNIC database earlier this week, with copies reportedly propagating across X channels and dark web criminal communities. Unlike typical breaches where stolen data is sold privately to maximize profit, this dataset is allegedly being distributed for free, dramatically lowering the barrier for downstream abuse by lower-tier criminal actors. Threat actors claim the data was extracted over time through weaknesses in exposed API infrastructure rather than a single intrusion event. Uruguayan authorities have not yet publicly confirmed or denied the breach, and independent verification by researchers is ongoing.
What Was Taken
According to actor claims, the dataset contains approximately 5.8 million records with the following fields:
- National identity numbers (Cedula de Identidad)
- Full citizen names
- Identity records tied to government civil registration
- Entries for individuals born as recently as early 2020, indicating ongoing or recent data collection
Because the record count exceeds the living population, analysts assess the archive likely contains deceased citizens, expired records, and full historical civil registration data, effectively a near-complete identity snapshot of the country.
Why It Matters
National identity data is structurally different from credential leaks. Passwords can be rotated, payment cards can be reissued, but a national identification number is a lifetime identifier baked into banking, healthcare, tax, voting, and immigration systems. Once leaked, this data becomes permanent criminal infrastructure, fueling synthetic identity fraud, account takeover, tax fraud, and impersonation for years or decades. The free-distribution model compounds the risk: rather than sitting in the hands of a few sophisticated actors, the dataset is now available to opportunistic fraudsters worldwide. For a country of 3.5 million, this represents a systemic risk to nearly every financial, governmental, and healthcare relationship in Uruguay.
The Attack Technique
Threat actors attribute the exposure to insecure API infrastructure operated by or connected to the DNIC, citing three specific weaknesses:
- Insufficient rate limiting on identity lookup endpoints, enabling large-scale enumeration
- Weak or missing access control on sensitive citizen-data APIs
- Inadequate monitoring and logging, allowing automated extraction to continue undetected over an extended period
This pattern, slow extraction via under-protected APIs, is increasingly common against digital government identity systems and is difficult to detect without behavioral monitoring at the API gateway layer. The attack does not require traditional malware or credential compromise; it leverages design weaknesses in the public-facing identity service itself.
What Organizations Should Do
- Enforce strict rate limiting and quota controls on every identity-lookup or citizen-data API, with per-IP, per-token, and per-account thresholds tuned to legitimate business volume.
- Implement behavioral API monitoring to detect anomalous enumeration patterns, sequential ID scans, and off-hours bulk lookups that indicate scraping rather than legitimate use.
- Apply zero-trust access controls to identity APIs, including mandatory authentication, scoped tokens, mutual TLS for service-to-service calls, and least-privilege authorization checks on every request.
- Audit historical access logs for evidence of slow, distributed extraction over months or years, the typical signature of this attack pattern.
- Prepare downstream fraud controls for Uruguayan citizens and any business serving them: step up KYC, require liveness checks, and treat Cedula numbers as compromised identifiers rather than secrets.
- Coordinate with national CERT and DNIC to share indicators, validate the leak's contents, and align public guidance for affected citizens.
Sources: Uruguay's Alleged 58 Million Citizen Data Leak Sparks Fears of Long-Term Identity Abuse