Uruguay DNIC: Alleged 5.8M Citizen Database Leak

A forum actor operating under the alias LaPampaLeaks has published what they claim is a Uruguay Dirección Nacional de Identificación Civil (DNIC) citizen database containing more than 5.8 million records. The dataset allegedly includes national ID numbers (cédula de identidad), first names, and surnames tied to Uruguayan citizens. The leak was reported by Dark Web Informer on May 20, 2026, with the actor dating the post to May 17, 2026, and describing the release as free after the data had reportedly circulated in closed Telegram groups.

What Happened

LaPampaLeaks posted the alleged DNIC citizen database to an underground forum, providing a structured preview of the records and hidden download content said to contain the complete file. The actor's commentary indicates the dataset was not new to the underground economy, having previously moved through private Telegram channels before being released publicly at no cost. Given Uruguay's population of approximately 3.4 million, a 5.8 million record count suggests the dataset may include historical, deceased, or duplicate identity entries spanning many years of DNIC records. The leak remains an unverified underground forum claim, but the preview structure and field composition are consistent with prior government identity registry breaches in the region.

What Was Taken

According to the actor's post and the preview screenshots, the leaked dataset reportedly contains:

• Cédula de identidad (national ID) numbers, Uruguay's primary citizen identifier
• Citizen first names
• Citizen surnames
• Related DNIC-linked citizen record fields shown in the preview structure

National ID numbers in Uruguay are used across banking, healthcare, tax filings, voter rolls, telecom contracts, and government service authentication. Their exposure at population scale represents one of the most sensitive categories of personal data a country can lose.

Why It Matters

A leak of this magnitude effectively undermines the foundational identifier used across Uruguay's public and private sectors. Cédula numbers function as the de facto authentication factor for knowledge-based verification at banks, telcos, and government portals. With 5.8 million records circulating freely, attackers can pair these identifiers with breached email and phone datasets from prior incidents to construct convincing fraud campaigns. The free release model is particularly concerning because it democratizes access to the data: rather than a small set of vetted buyers, the dataset is now available to any low-skill actor browsing the forum, dramatically increasing the volume of downstream abuse Uruguay's defenders should expect.

The Attack Technique

The original intrusion vector has not been disclosed by the actor and has not been confirmed by DNIC or any Uruguayan government authority. LaPampaLeaks's reference to the data previously circulating in private Telegram groups suggests the breach occurred earlier and was monetized or traded before being burned with this public release. Historical patterns in Latin American government identity leaks point to common causes such as exposed database services, third-party contractor compromise, insider data extraction, and unpatched web application flaws on citizen-facing portals. Until the agency confirms an incident or attribution emerges, the entry point should be treated as unknown.

What Organizations Should Do

Defenders in Uruguay and organizations serving Uruguayan customers should act on the assumption that cédula numbers are no longer secret:

1. Deprecate cédula numbers as a sole knowledge-based authentication factor; require an additional verification step (one-time passcode, document liveness check, or biometric) for account recovery, high-value transactions, and onboarding.
2. Increase fraud monitoring thresholds for new account openings, SIM swap requests, and credit applications referencing Uruguayan identity numbers over the next 90 days.
3. Brief frontline customer service and KYC teams on the leak and update social engineering scripts that anticipate attackers possessing accurate name plus cédula combinations.
4. Hunt for unusual access patterns to citizen-facing portals, partner integrations with DNIC data, and any contractor-managed identity stores that may share lineage with the leaked dataset.
5. Coordinate with CERTuy and sector regulators for any official guidance, and prepare customer-facing notifications acknowledging heightened identity theft risk.
6. Validate that downstream identity verification vendors are not silently relying on cédula plus name matching as a sufficient verification baseline.

Sources: Uruguay DNIC allegedly leaked: 5.8M citizen database records exposed