Data of 243 million Brazilians exposed online via website source code

The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health’s website for at least six months.

The security snafu was discovered by reporters from Brazilian newspaper Estadao, the same newspaper that last week discovered that a Sao Paolo hospital leaked personal and health information for more than 16 million Brazilian COVID-19 patients after an employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub.

Estadao reporters said they were inspired by a report filed in June by Brazilian NGO Open Knowledge Brasil (OKBR), which, at the time, reported that a similar government website also left exposed login information for another government database in the site’s source code.

Since a website’s source code can be accessed and reviewed by anyone pressing F12 inside their browser, Estadao reporters searched for similar issues in other government sites.

They found a similar leak in the source code of e-SUS-Notifica, a web portal where Brazilian citizens can sign up and receive official government notifications about the COVID-19 pandemic.

Reporters said the site’s source code contained a username and password stored in Base64, an encoding format that can be easily decoded to obtain the initial username and password, with little to no effort.

The login information allowed access to SUS (Sistema Único de Saúde), the official database of the Brazilian Ministry of Health, which stored information on all Brazilians who signed up for the country’s public-funded health care system, established in 1989.

The database contained all the personal information a Brazilian provided to its government, from full names to home addresses, and from phone numbers to medical details.

The credentials have now been removed from the site’s source code, but it remains unclear if anyone has accessed the system and pilfered data on Brazilian citizens.

If unauthorized access would be discovered, this would be the largest security breach in the country’s history.