Two concurrent OSINT operations against Mexican government, academic, media, and state-level infrastructure discovered a publicly accessible federal API endpoint serving 64 GB of data from 177 agencies without any authentication, including an estimated 186 million+ records with 520,000+ critical PII entries. A parallel .git exposure campaign recovered 17 live credential sets across 6 targets, exposed 37+ developer identities, and recovered nearly 1 GB of production source code from a major public university including student PII databases and payroll data. Additionally, 4,968 Gravatar email hashes were collected from 73 Mexican WordPress websites.
| Operation | Target | Method | Result |
|---|---|---|---|
| Crystal Vault | repodatos.atdt.gob.mx |
Unauthenticated API enumeration + full mirror | 64 GB, 177 agencies, 186M+ records, 520K+ PII. STILL LIVE. |
| Git Exposure | 6 Mexican domains | Exposed .git/ directory recovery |
17 credential sets, 37+ developer IDs, 960 MB source code |
| Hash Sweep | 73 WordPress sites | WordPress REST API user enumeration | 4,968 Gravatar hashes (1,479 MD5, 3,489 SHA256) |
| Huntr Scan | Mexican domains | Automated vulnerability scanning | Credential paths, API exposure, tech stack fingerprinting |
| Target | Type | Vector | Credentials | Data |
|---|---|---|---|---|
repodatos.atdt.gob.mx | Federal API | No auth required | N/A | 64 GB, 177 agencies |
uaem.mx | University | .git exposure | 2 (MySQL + SMTP) | 960 MB, 11,605 files |
ieeq.mx | State Electoral | .git exposure | 4 (PgSQL + 2 MySQL) | Git metadata + creds |
ss.puebla.gob.mx | State Health | .git exposure | 1 (MySQL) + Joomla secret | WordPress/Joomla config |
elsiglodetorreon.com.mx | Newspaper | .git exposure | 8 (MySQL) + SMTP + tokens | Full application source |
fiscalia.durango.gob.mx | State Prosecutor | .git exposure | 0 (wp-config gitignored) | Git metadata, internal IP |
mvs.com | Media Corp | .git exposure | 0 | 13 files, corporate map |
17 credential sets, 4 application tokens, and 1 Joomla secret were recovered from exposed .git/ directories on production web servers. All credentials were found in committed source code files (PHP config, .env, application settings). Three external IPs with connectable database services were identified.
| Host | www.uaem.mx:3306 |
| User | facdisenousr |
| Pass | LXN*j@9nmVmN |
| Database | consfacdiseno |
| Source | html/constancias-diseno/db/ConexionMySQL.php |
| Exposes | Student PII: names, emails, student IDs, grades, majors |
| Host | smtp.gmail.com:465 |
| User #1 | [email protected] |
| Pass #1 | Cons_facDisenio9102 |
| User #2 | [email protected] |
| Pass #2 | Ventanill4FCQ31 |
| Note | Google Workspace SMTP — likely grants full inbox access |
| PgSQL (prod) | postgres : Eqaeccasm1500V+- @ 127.0.0.1 / ieeq_site, ieeq_site_admin |
| PgSQL (dev) | postgres : root @ localhost / db_Sergio, db_Web, db_Pagina |
| MySQL (Azure) | web : fb&BN3cse8j_MH5v @ 104.45.237.221 / ieeq_ieeqmx9453639538 |
| MySQL (Comms) | CCS : C0munic4ci0n.S0ci4l @ 187.191.76.50 / ieeq |
| MySQL | dst_ss : m%e7A_fAMpt9dVbZ @ localhost / dst_ss (prefix: q4gqt_) |
| Joomla Secret | xSGvpdh2s4Oo1c4F |
| Mail From | [email protected] |
| MySQL (rw) | centenariorw : wwZtK7@c1en1 @ localhost / siglo90, durango |
| MySQL (s22) | eT9Server3 : vwDvhNXckAntcWjB6E @ s22 / siglo90 |
| MySQL (s1) | eT9Server3 : vwDvhNXckAntcWjB6E @ s1 / Tienda |
| MySQL (IBM) | centenario : wwZgtK7@c1en @ 52.117.172.166 / siglo90 |
| MySQL (boa) | centenarioboa : vchtBfOfVaYhyBe@100 @ localhost / siglo90 |
| MySQL (club) | centenario : wwZgtK7@c1en @ localhost / siglo90 |
| MySQL (autos) | autos : f0$f0r0Qui3roCaf3 @ 127.0.0.1 / autos |
| MySQL (archive) | archive : camaraf0f0r0@ @ localhost / archive |
| SMTP | [email protected] : mel588mo @ correo.elsiglo.mx:587 |
| TOKEN_PASSWORD | k@VDKgrKRI!z5YVZ76PJpjwB4#rEs0FswcYaGOGmS2HhT8@ce! |
| TOKEN_TARJETA | 3ls1glo100|2021-12-07 |
| TOKEN_PASS | enb5SWeXtgQmFjdr9wBecnFVjx4QrwMq3zFKPYhvFZ6QXJR7HM... |
| AdSense | ca-pub-5687735147948295 / slot 9692393977 |
| IP | Port | Service | Target |
|---|---|---|---|
104.45.237.221 | 3306 | MySQL (Azure) | ieeq.mx |
187.191.76.50 | 3306 | MySQL (Comunicacion Social) | ieeq.mx |
52.117.172.166 | 3306 | MySQL (IBM Cloud) | elsiglodetorreon.com.mx |
| Target | File | Likely Contents |
|---|---|---|
uaem.mx | html/cedulas/.env | Laravel app key, DB credentials for professional license system |
uaem.mx | titulos-uaem/.env | Secrets for degree generation system (app name "Titulos UAEM" leaked) |
uaem.mx | .bash_history | CLI command history — possible passwords, SSH commands |
uaem.mx | .ssh/id_rsa | SSH private keys |
fiscalia.durango.gob.mx | wp-config.php | WordPress DB credentials, auth keys/salts for 24 state agencies |
The 17 recovered credential sets span a state electoral institute (election infrastructure), a state health department, a major university with student PII, and a large newspaper. The IEEQ credentials include Azure-hosted and external MySQL databases with live public IPs — these represent immediate remote access vectors. The UAEM MySQL credentials expose student PII (names, emails, IDs, grades) and the Google Workspace SMTP credentials likely grant full inbox access to automated university email accounts. All credentials were found in committed source code, indicating systemic failure to use environment variables or secrets management across Mexican institutions.
| Severity | CRITICAL — Largest single government data exposure identified |
| Endpoint | https://repodatos.atdt.gob.mx/api_update/ (177 agencies) + /all_data/ (38 agencies) + /s_*/ (11 directories) |
| Authentication | NONE REQUIRED — full directory listing enabled, returns JSON |
| Rate Limiting | NONE |
| Access Logging | NONE APPARENT |
| Total Data Mirrored | 64 GB (50.12 GB enumerated + s_* mirrors) |
| Files | 1,084+ CSV files across all endpoints |
| Estimated Records | 186,000,000+ |
| Status | STILL LIVE as of 2026-02-25. Actively maintained with new data. |
| Infrastructure | Akamai CDN, Let's Encrypt SSL |
| Dataset | Records | Size | PII Fields | Risk |
|---|---|---|---|---|
| Birth Records (SINAC) | ~60,000,000 | 12.3 GB | Full birth registry data | CRITICAL |
| Death Records | ~25,000,000 | 6.1 GB | Full death registry data | CRITICAL |
| Education Centers | ~6,000,000 | 1.7 GB | CURP, RFC, names, phone numbers | CRITICAL |
| SAT Taxpayers | 464,153 | 69 MB | RFC (Tax ID) + full names + addresses + phone + email | CRITICAL |
| HIV/AIDS Treatment | ~100,000 | 22 MB | Persons on antiretroviral treatment | CRITICAL |
| Crime Incidence (SESNSP) | ~2,000,000 | 424 MB | Crime data by municipality | HIGH |
| Crime Victims (CEAV/REFEVI) | ~50,000+ | — | Federal victims registry | HIGH |
| Migration (Irregular) | ~700,000 | 175 MB | Irregular migration events | HIGH |
| Migration Tramites | ~1,300,000 | 257 MB | Migration processing records | HIGH |
| Procurement (COMPRANET) | ~4,500,000 | 907 MB | Vendor names, contract values (~$130B USD) | HIGH |
| Sanctioned Officials (SFP) | 809 | — | Full names, agency, sanction details | HIGH |
| Notary Registry (INDAABIN) | 1,396 | — | Full names, complete addresses | HIGH |
| Health Sub-datasets | Millions | ~16 GB | Chronic diseases, family planning, nutrition, vaccines | HIGH |
| Gas Prices | ~85,000,000 | 1.3 GB | Price data by station | LOW |
| Population Projections (CONAPO) | — | 202 MB | Demographic projections, marginalization indices | LOW |
| Poverty Data (CONEVAL) | — | 48 MB | Poverty and social lag metrics | LOW |
| File | Size | Records | Content |
|---|---|---|---|
SAT_1_Donatarias_Aut.csv | 27 MB | 10,798 | Charities — RFC + name + phone + email + address + legal rep |
SAT_3_Sentencias.csv | 45 KB | 311 | Tax convictions — individuals with RFC |
SAT_4_Nolocalizados.csv | 4.3 MB | 39,453 | Non-located taxpayers — RFC + names |
SAT_5_Firmes.csv | 18 MB | 177,807 | Final tax debts — individuals with RFC + full names |
SAT_7_Cancelados.csv | 19 MB | 120,276 | Cancelled tax status — RFC + names |
This is not a misconfigured development endpoint — it is the production data distribution system for the Mexican federal government's transparency program (ATDT — Agencia de Transformacion Digital y Telecomunicaciones), intentionally serving data without authentication. The critical failure is not the API itself but the absence of PII redaction: birth records (60M), death records (25M), education records with CURP/RFC (6M), HIV treatment records (100K), and crime victim registries should never be served without access controls regardless of transparency mandates. The 64 GB mirror represents approximately 186 million records spanning virtually every aspect of Mexican federal governance.
| Target | uaem.mx — Universidad Autonoma del Estado de Morelos |
| Files Recovered | 11,605 of 15,177 tracked files (76%) |
| Data Size | ~960 MB |
| Credentials | 2 live (MySQL production DB + SMTP Google Workspace) |
| Developer | Rafael Fragoso ([email protected]) — GitHub: norgoth / alias GGakko |
| GitHub Repo | norgoth/uaem2023 |
Recovered material includes: student PII database (SOLICITUD_CONSTANCIAS table: full names, emails, student IDs, grades, majors), payroll data (>$60M MXN per biweekly period, 2019), staff directories (personal.xlsx, personal-2018.xlsx), IT phone directory (ClavesTelefonicasDGTIC.xlsx), payment processing system (html/pagos/), electronic voting system (html/votoelectronico/), professional license system (html/cedulas/ — Laravel, .env not recovered), degree generation system (titulos-uaem/), DB test endpoint (TestConexion.php — publicly accessible), full Apache config with routing rules.
| Staff Type | Peak Amount (MXN) |
|---|---|
| Faculty | $32,800,000 |
| Trust/Management | $18,000,000 |
| Unionized Base | $8,200,000 |
| Unionized Eventual | $1,500,000 |
| Retirees/Pensioners | $900,000 |
| TOTAL PER PERIOD | >$60,000,000 |
| Target | fiscalia.durango.gob.mx — Durango State Prosecutor's Office |
| Data Recovered | Git metadata only (669 KB) — repo contents gitignored |
| Developer | Alejandro Paredes (Gitea: Alejandro.paredes, GitLab: devgob) |
| Internal Git Server | 10.1.4.194:8085 — Gitea/Gogs instance |
| Server Hostname | webdurangonuevo.(none) — no FQDN configured |
| Server User | root — deployed as root, no service account |
Critical finding: Single WordPress install serving 24 state government agency websites (Fiscalia, DIF, Educacion, Salud, Seguridad Publica, Proteccion Civil, SIPINNA child welfare, and 17 more). Running RevSlider plugin with CVE-2022-0441 (CVSS 9.8 auth bypass) and CVE-2014-9734 (file inclusion). No security plugins installed (no Wordfence, Sucuri, iThemes, 2FA, or backup plugins). wp-config.php confirmed to exist but gitignored — contains unrecovered DB credentials. XML-RPC enabled. Government accounting data exposed: lgcg.php (164 KB), ifiscal.php (96 KB).
| Target | mvs.com — Grupo MVS (major Mexican media conglomerate) |
| Files Recovered | 13 files (13 MB, 100%) |
| Repo | grupo_mvs_v2_landing on Bitbucket workspace mvsradio |
| Personnel | Alfredo Gonzalez ([email protected]) — internal DevOps. Noe/Alan Olvera ([email protected]) — freelance dev. |
| Deployment | Direct git pull to production web root — no CI/CD |
Corporate structure fully mapped: MVS Capital, MVS TV, MVS Radio, MVS Educacion, MVS Entretenimiento, MVS Ideas. Restaurant brands: 13 CMR restaurants including Wings, Chili's MX, Red Lobster MX, Olive Garden MX, Sushi Itto. Telecom brands: Dish Mexico, Netbox, FreedomPop MX, Octopus MX, On Internet. Foundations: Fundacion Dish, Fundacion CMR, Fundacion MVS Radio.
| Platform | Account | Repository | Target Domain |
|---|---|---|---|
| GitHub | norgoth | uaem2023 | uaem.mx |
| GitLab | dianguemoli | ieeq | ieeq.mx |
| Internal (Gitea) | Alejandro.paredes | mw-red-de-sitios | fiscalia.durango.gob.mx (10.1.4.194:8085) |
| Internal | dds | secretaria-de-salud | ss.puebla.gob.mx (git.develop.dst) |
| GitHub | es-trc | centenario | elsiglodetorreon.com.mx |
| GitHub | MrBoa-s-Company | api-app-tor | api.elsiglodetorreon.com.mx |
| Bitbucket | mvsradio | grupo_mvs_v2_landing | mvs.com |
| Name | Organization | Platform / Role | |
|---|---|---|---|
| Rafael Fragoso | [email protected] | UAEM University | GitHub: norgoth/GGakko — sole developer/admin, root access |
| Amy Malavar | [email protected] | UAEM | Git contributor |
| Carlos Clemente | [email protected] | UAEM | Git contributor |
| Jelsy Uribe | [email protected] | UAEM | Git contributor |
| Victor Gonzalez | [email protected] | UAEM | Git contributor |
| Ricardo Morales | [email protected] | UAEM | Git contributor |
| Alan Martinez | [email protected] | UAEM | Git contributor (Fragoso alt?) |
| Diana Guerra | [email protected] | IEEQ Electoral | GitLab: dianguemoli07 |
| Melchor Leal | [email protected] | IEEQ Electoral | Git contributor |
| Jorge Lara Mendoza | [email protected] | IEEQ Electoral | Git contributor |
| Sergio I. Gutierrez Q. | [email protected] | IEEQ Electoral | Git contributor |
| Rene Limon | [email protected] | Puebla State Health | Git contributor |
| Alejandro Paredes | — | Durango State Gov | Gitea: Alejandro.paredes / GitLab: devgob — root access |
| Alfredo Gonzalez | [email protected] | Grupo MVS | Bitbucket: agonzalez_ — internal DevOps |
| Noe/Alan Olvera | [email protected] | MVS Contractor | Frontend developer |
| Eugenio Ramirez Casanova | [email protected] | El Siglo de Torreon | GitHub: MrBoa — lead developer |
| + 21 additional developers identified across all targets (see full credentials file) | |||
| Host | Port | Service | Status | Credentials |
|---|---|---|---|---|
repodatos.atdt.gob.mx | 443 | Federal data API — 177 agencies | LIVE, NO AUTH | N/A |
www.uaem.mx | 3306 | MySQL (production) | LIVE | RECOVERED |
smtp.gmail.com | 465 | Google Workspace SMTP (x2 accounts) | LIVE | RECOVERED |
104.45.237.221 | 3306 | MySQL Azure (IEEQ electoral) | LIVE | RECOVERED |
187.191.76.50 | 3306 | MySQL (IEEQ comms) | LIVE | RECOVERED |
52.117.172.166 | 3306 | MySQL IBM Cloud (El Siglo) | LIVE | RECOVERED |
www.uaem.mx | 443 | TestConexion.php — DB test page | PUBLIC | Dumps connection object |
fiscalia.durango.gob.mx | 443 | WordPress (24 state agencies) | LIVE | Unrecovered |
fiscalia.durango.gob.mx | 443 | xmlrpc.php — XML-RPC | ENABLED | Brute-force vector |
| Target | Software | CVE | CVSS | Impact |
|---|---|---|---|---|
fiscalia.durango.gob.mx | RevSlider (WordPress) | CVE-2022-0441 | 9.8 | Authentication bypass — full admin access |
fiscalia.durango.gob.mx | RevSlider (WordPress) | CVE-2014-9734 | — | Arbitrary file inclusion |
This assessment reveals systemic security failures across Mexican government digital infrastructure at federal, state, and institutional levels. The findings span from the country's entire federal data distribution system (zero authentication on 177 agencies) to individual developer workstations deploying as root with credentials in source code. The scale of PII exposure — 186 million+ records including 60 million birth records, 25 million death records, and HIV treatment data — represents one of the largest government data exposures documented through OSINT methodology.
The repodatos.atdt.gob.mx API is not a misconfiguration — it is the deliberate architecture of Mexico's transparency data infrastructure. The ATDT (Agencia de Transformacion Digital y Telecomunicaciones) serves data for 177 federal agencies via unauthenticated REST endpoints with directory listing. The failure is in data classification: datasets containing PII (birth/death records with personal identifiers, taxpayer records with RFC, crime victim registries, HIV treatment records) are served alongside legitimately public datasets (gas prices, population projections) with no distinction. Any actor with a curl command can mirror the entire 64 GB dataset. This has been actively maintained through February 2026 with new data being pushed.
Six distinct Mexican organizations were found with exposed .git/ directories on production servers, yielding 17 credential sets from committed source code. This is not coincidence — it reflects a systemic pattern: Mexican government and institutional developers deploy via git pull directly to production web roots without CI/CD pipelines, without .htaccess rules blocking .git access, and without secrets management. The practice spans universities (UAEM), state electoral bodies (IEEQ), state health departments (Puebla), state prosecutors (Durango), newspapers (El Siglo de Torreon), and major media corporations (Grupo MVS). Every target was a single developer or very small team, deploying as root, with no code review process.
The IEEQ (Instituto Electoral del Estado de Queretaro) credentials include production PostgreSQL databases (ieeq_site, ieeq_site_admin) and an Azure-hosted MySQL database at 104.45.237.221 with a public IP and recovered credentials. An additional MySQL instance at 187.191.76.50 serves the "Comunicacion Social" department. Electoral infrastructure exposure carries disproportionate national security risk — even without active exploitation, the existence of recoverable credentials to election databases undermines institutional trust.
The Durango state prosecutor's website (fiscalia.durango.gob.mx) serves 24 state government agencies from a single WordPress installation running RevSlider with a CVSS 9.8 authentication bypass (CVE-2022-0441). The server is deployed as root with no FQDN configured. No security plugins are installed. A single exploit would compromise: the state prosecutor's office, child welfare (SIPINNA), public health, education, public security, civil protection, environmental agency, transportation, tourism, and 15 additional agencies. The wp-config.php file containing database credentials exists on the server but was gitignored — direct access via the web server may still be possible.
The federal API serves approximately 16 GB of health sub-datasets including: birth records (~60M), death records (~25M), chronic disease registries, family planning data, maternal health consultations, child nutrition data, vaccination records, and critically — HIV/AIDS antiretroviral treatment records (~100K records). These datasets are served from repodatos.atdt.gob.mx/s_salud/ and /all_data/secretaria_salud/ without any authentication. HIV treatment records are among the most sensitive categories of personal health data globally.
Mexico's digital government infrastructure exhibits a pattern of "transparency by default" where access controls are treated as optional rather than essential. The combination of an unauthenticated 64 GB federal API, epidemic .git exposure, and single-developer deployment practices creates an attack surface that is trivially exploitable at every level. The most immediate risks are: (1) the 3 externally-connectable MySQL databases with recovered credentials (IEEQ Azure, IEEQ Comms, El Siglo IBM Cloud), (2) the RevSlider CVE-2022-0441 on the Durango prosecutor's 24-agency WordPress, and (3) the ongoing PII exposure of 186M+ records via the federal API. The 4,968 Gravatar hashes collected from 73 WordPress sites provide additional email correlation capability across Mexican media, government, and NGO sectors.
104.45.237.221 (IEEQ Azure), 187.191.76.50 (IEEQ Comms), 52.117.172.166 (El Siglo IBM Cloud). Test with recovered credentials. If connectable, document database schemas and record counts without modifying data. These represent the highest-priority immediate access vectors.html/cedulas/.env (professional license system), titulos-uaem/.env (degree generation), .bash_history, .ssh/id_rsa. These files are confirmed to exist on the server from git tracking metadata. Direct URL access or alternate path traversal may succeed.wp-config.php, and potentially the internal Gitea server at 10.1.4.194:8085. Secondary vector: XML-RPC brute force against xmlrpc.php.repodatos.atdt.gob.mx. The API is actively maintained with new data pushed regularly. Set up differential monitoring to capture newly added datasets and agencies. Priority monitoring targets: /all_data/secretaria_salud/ (health data updates), /api_update/inm/ (immigration data), /SESNSP/ (crime data).sinembargo.mx (791 hashes), forbes.com.mx (734), contralinea.com.mx (341 — investigative journalism), government sites cenart.gob.mx (6), quintanaroo.gob.mx (3), campeche.gob.mx (1), michoacan.gob.mx (2). Recovered emails enable cross-platform correlation.*.gob.mx), municipal websites, state-level health departments, state electoral institutes beyond Queretaro, and state prosecutor offices beyond Durango.html/pagos/), electronic voting (html/votoelectronico/), professional licenses (html/cedulas/), degree generation (titulos-uaem/). Map all internal API endpoints, database schemas, and authentication flows.[email protected]) regarding federal API PII exposure; INAI (National Transparency Institute) regarding data classification failures; UAEM IT ([email protected]) regarding .git and credential exposure; IEEQ regarding electoral database exposure; Durango State IT regarding Fiscalia WordPress compromise chain. Document timeline and allow 90 days for remediation before any public disclosure.repodatos.atdt.gob.mx — ATDT (Agencia de Transformacion Digital y Telecomunicaciones) federal data API/wp-json/wp/v2/users) — Gravatar hash collection from 73 Mexican websites