#OpAfrica hits vreport

Super-brief introduction

So, #OpAfrica are being very busy little bees. I’m trying to mentally process the data dumped from the Water Affairs leak (both in terms of scale and apparent incompetence), so just to be thorough here’s a look at the other earlier dump.

VReports, as far as we can see, is just a jobseeker website.


It’s not doing insanely well at the time of writing, as it looks likes its DB credentials are disabled (point for future, you really shouldn’t expose details like this guys).

VReport DB Dead

It’s probably pretty safe to assume that either they accidentally locked the account while getting in, intentionally locked it when getting out, or more likely the account was disabled to prevent any further leaks. But what was leaked?


The original dump notes that,

We had information about +33.000 Job Seekers. But we just prefer to publish government officers data.

Which is nice of them, I guess. So what did they dump?

They dumped 54 lines of what appears to be a copy from a website, given the presence of the Edit  text on the right hand side. Based on the screenshots they provided, it appears to be from an admin portal. So what can we do with what they dumped?

Not a whole lot, it looks like. They’ve provided first names, surnames, e-mail addresses and ID numbers. None of these are particularly exciting – in fact, they’re remarkably unexciting. So boring that all of the ID numbers are valid even.

There’s one relatively close call, being that they’ve almost provided all of the details to retrieve certification information on the main site, except that that requires a cell phone number as well.

So apart for one person who they totally revealed in their screenshots that accompanied the dump, everyone’s safe. Sorry one, shall-remain-nameless dude.

To see my write-up on the much more exciting GCIS hack, check here.

Tagged with: ,
Posted in Security

Leave a Reply