Angola: The Password Was 1234 -- ODINT Cyber Tour

Campaign Statistics

A sweep of Angola's government digital surface -- public git repositories associated with .gov.ao domains -- produced the following results. All data was retrieved from repositories that required no authentication.

~2.2 GBEvidence Collected

15Domains Audited

3CRITICAL Findings

4Systems with Live Credentials

18+Credential Sets Exposed

1National IdP OAuth2 Secret

1SendGrid API Key

299 MBTrade License Records (CSV)

temp.123...321

Angola's government systems share a password. It appears in the production database configuration of the SRI civil service exam platform, in the API credentials used by the SILAC commercial licensing system to query the national taxpayer registry, and in the SICOEX foreign trade system's API authentication against gov.ao services. The string is temp.123...321 -- a placeholder name that never got replaced, replicated across unrelated ministries by developers copying configuration templates from one project to the next.

That was the first pattern ODINT found. The second was the database password for the SILAC system -- Angola's Integrated Commercial Licensing and Authorization platform, the system that processes permits for businesses operating across the country. It was 1234. Not as a development default. In the production configuration file.

No exploit was used. No credentials were brute-forced. No firewall was bypassed. All four systems were publicly reachable with a standard git clone. Angola's foreign trade infrastructure, commercial licensing authority, civil service exam platform, and national identity provider were, in practice, open to anyone who thought to look.

Why This Matters

Angola is the second-largest oil producer in sub-Saharan Africa and a SADC member state with significant trade flows through its port infrastructure. SICOEX -- the Sistema de Comercio Exterior -- is the digital gateway through which importers and exporters apply for licenses, upload documents, and track approvals. Its production database stores every in-flight and completed trade license application. Its git repository had both the database password and the OAuth2 client secret for id.gov.ao, Angola's national OpenID Connect identity provider.

The client secret for a national identity provider is not a database password. It is the credential that allows a service to authenticate users against the state's identity infrastructure. Whoever holds it can impersonate the SICOEX application in OAuth2 flows -- requesting user tokens, intercepting authentication callbacks, or injecting into sessions for users logging into government services through id.gov.ao.

On a separate track: the SILAC commercial licensing system had an exposed SendGrid API key. SendGrid is the transactional email service Angola's government uses to send license approval notifications, application status updates, and compliance alerts to businesses. An exposed API key is a working credential for sending email from Angola's government licensing authority to any address.

The prelicimp.gov.ao pre-licensing system -- a subsystem of SICOEX that handles import pre-authorization -- had a 299 MB CSV export committed to the repository alongside the credentials. It contains the complete record of pre-license requests submitted to the Angolan government's import authority.

Targets Audited

Foreign Trade and Licensing

hml.sicoex.gov.ao

Angola Ministry of Industry and Commerce -- Sistema de Comercio Exterior (SICOEX) -- Homologacao Environment

Vector: Public git repository -- no authentication required Size: 186 MB Status: CRITICAL -- production and homologacao credentials, OAuth2 secret, SMTP, Grafana

prelicimp.gov.ao

Angola Ministry of Industry and Commerce -- Pre-Licensing Import System (PRELICIMP) -- subsystem of SICOEX

Vector: Public git repository -- no authentication required Size: 490 MB (includes 299 MB data export) Status: CRITICAL -- production credentials + 299 MB trade license CSV export

hml.silac.gov.ao

Angola Ministry of Industry and Commerce -- Sistema Integrado de Licenciamento e Autorizacoes Comerciais (SILAC) -- Homologacao Environment

Vector: Public git repository -- no authentication required Size: 3.8 MB Status: CRITICAL -- database password "1234", SendGrid API key, SIGFE credentials, multiple API keys

Civil Service Examination Platform

internal.sri.at.gov.ao / hml.internal.sri.at.gov.ao / novo.internal.sri.at.gov.ao

Angola Ministry of Public Administration -- Servico de Recrutamento Integrado (SRI) -- Civil Service Exam and Recruitment Platform (production + homologacao + new production)

Vector: Public git repository -- no authentication required Size: ~57 MB each (three variants) Status: CRITICAL -- production, training, and development database credentials across 33 microservices

Poverty Reduction Data Systems

form.diagnostico.piap.gov.ao

Angola PIAP (Plano Integrado de Acao para a Pobreza) -- Poverty Reduction Diagnostic Survey Platform

Vector: Public git repository -- no authentication required Size: 1.3 MB Status: HIGH -- multiple backup and development files committed; FormIO system architecture exposed

Enumerated / No Content

cipra.gov.ao / doc.gov.ao / governo.gov.ao / hml.fcds.gov.ao / homologacao.doc.gov.ao / infqe.gov.ao / plataformacipra.gov.ao / sinfqe.infqe.gov.ao

Various Angola government authorities and ministries

Vector: Repository directories accessible, no data committed Status: Enumerated -- empty

Critical Findings

hml.sicoex.gov.ao + prelicimp.gov.ao -- Production credentials and national IdP OAuth2 client secret for Angola's foreign trade licensing system CRITICAL

Files: source/Config.php, _scripts/conn.php, _scripts/email.php System: SICOEX + PRELICIMP (foreign trade licensing) Framework: PHP / CoffeeCode DataLayer

The source/Config.php file contains database credentials for both the homologacao environment (10.106.0.163:3308, database sicoex) and the production server (172.31.19.17:6539, database sicoexgov_db). The same file contains the OpenID Connect client_id and client_secret for Angola's national identity provider at id.gov.ao -- the OAuth2 token endpoint that government services use to authenticate Angolan citizens. An SMTP credential for the government mail relay at mail.gov.ao (port 465) and a Grafana monitoring dashboard credential are also committed. The PICE payment verification API credential is the string pice used for both username and password. The prelicimp.gov.ao system uses the same production database credential set in _scripts/conn.php, and a separate SMTP password in _scripts/email.php.

// source/Config.php (SICOEX) define('DB_HOST_PROD', '172.31.19.17'); define('DB_PORT_PROD', '6539'); define('DB_NAME_PROD', 'sicoexgov_db'); define('DB_USER_PROD', 'sicoexgov_user'); define('DB_PASS_PROD', '[REDACTED]'); define('OPENID_CLIENT_ID', 'py0EpF8tE3KAme2wwDhRE91ww7ga'); define('OPENID_CLIENT_SECRET', '[REDACTED — Angola national IdP OAuth2 secret]'); define('OPENID_PROVIDER', 'https://id.gov.ao/oauth2/token'); define('MAIL_HOST', 'mail.gov.ao'); define('MAIL_USER', '[email protected]'); define('MAIL_PASS', '[REDACTED]'); define('GRAFANA_USER', 'sicoex'); define('GRAFANA_PASS', '[REDACTED]');

Browse SICOEX Data Browse PRELICIMP Data

hml.silac.gov.ao -- Database password "1234", SendGrid API key, and Ministry of Finance API credentials for Angola's commercial licensing authority CRITICAL

Files: source/Config.php, docker-compose.yml, source/Support/API.php System: SILAC (commercial licensing and authorization) Framework: PHP / CoffeeCode DataLayer

SILAC is the platform through which businesses across Angola apply for commercial operating licenses. Its production database password -- set in both source/Config.php and docker-compose.yml -- is 1234. The same file contains a SendGrid API key (prefix SG.vlZ1y0wtTsKX32F8c25q0Q) which provides working access to send transactional email as Angola's licensing authority. The SIGFE integration -- Angola's Ministry of Finance government revenue and fee-payment platform -- uses a Base64-encoded credential committed plaintext in source/Config.php. A separate credential for the national NIF taxpayer lookup API appears in source/Support/API.php. The Simplifica CMS webhook, through which the government's e-services portal receives license status notifications, has its Basic Auth credentials in the same file.

// source/Config.php (SILAC) define('DB_HOST', '172.18.130.159'); define('DB_PASS', '1234'); // production database password define('SENDGRID_API_KEY', 'SG.vlZ1y0wtTsKX32F8c25q0Q.[REDACTED]'); define('SIGFE_AUTH_BASIC', '[REDACTED — Base64 MoF API credential]'); define('SIGFE_ENDPOINT', 'https://sifphml.minfin.gov.ao/sigfe/tributario/...'); // source/Support/API.php define('NIF_API_USER', 'silac'); define('NIF_API_PASS', '[REDACTED]'); // temp.123...321 pattern define('SIMPLIFICA_USER', 'dev.simplifica'); define('SIMPLIFICA_PASS', '[REDACTED]');

Browse SILAC Data

internal.sri.at.gov.ao -- Production database credentials across 33 microservices for Angola's civil service examination and recruitment platform CRITICAL

Files: [service]/source/Config.php x33 System: SRI (Servico de Recrutamento Integrado -- civil service exams) Framework: PHP microservices / CoffeeCode DataLayer

The SRI platform administers civil service examinations for the Angolan government -- the system that processes exam applications, distributes candidate exam sheets, manages answer-key correction, and publishes results for government recruitment across all ministries. Its architecture is 33 independent PHP microservices, each with its own Config.php containing hardcoded database credentials. Three environment configurations appear in each file: training (172.18.110.10:4317, user enapp), production (172.18.130.15:4455, user imadmin), and development (localhost:3306). The production password follows the same temp.123...321 pattern found across SICOEX and SILAC. The full repository was committed three times under three different subdomains -- hml, internal, and novo -- tripling the exposure surface. Angola's complete civil service recruitment technology stack and its internal network topology are fully reconstructable from the committed configuration files.

// candidate-exam-sheet/source/Config.php (representative) // Training environment define('DB_HOST', '172.18.110.10:4317'); define('DB_NAME', 'enapp'); define('DB_USER', 'enapp'); define('DB_PASS', '[REDACTED]'); // Production environment define('DB_HOST_PROD', '172.18.130.15:4455'); define('DB_USER_PROD', 'imadmin'); define('DB_PASS_PROD', '[REDACTED]'); // temp.123...321 pattern // Development define('DB_HOST_DEV', 'localhost:3306'); define('DB_USER_DEV', 'imadmin'); define('DB_PASS_DEV', '[REDACTED]'); // Same pattern in: answer-key-correction, candidate-registration, // exam-results-publication, recruitment-vacancy, and 28 other services

Browse SRI Data

The temp.123...321 Pattern

The string temp.123...321 appears across three unrelated Angola government systems: the production database password for the SRI civil service exam platform, the NIF taxpayer API credential used by SILAC, and the gov.ao services API credential used by SICOEX. The pattern suggests a shared development team or a configuration template that propagated across ministries without ever being replaced. "Temp" in a password name is usually a signal that someone intended to rotate it and did not. In this case, it reached three production systems serving different branches of the Angolan government.

The 299 MB Data Export

The prelicimp.gov.ao repository contained, alongside the production database credentials, a CSV file named pedido_licenca_2025-11-02_140106.csv (299 MB). The filename indicates an automated export from the pre-licensing import system run on November 2, 2025. The file contains the complete record of pre-license requests submitted to Angola's customs pre-authorization authority. Thirty-one cron job scripts in _cronjobs/ document the scheduled data movement operations. A second export, rei.csv (1.1 MB), contains the full Angola customs tariff schedule.

Internal Network Topology

The Config.php files across the Angola government repositories map three consistent internal network ranges. ODINT is publishing the ranges only -- specific host addresses are in the full technical report.

172.18.x.x range -- Angola government internal network: SRI exam platform training and production servers, SILAC licensing database
172.31.x.x range -- Cloud / VPS infrastructure: SICOEX production database
10.106.x.x range -- Government DMZ or secondary internal range: SICOEX homologacao database, CMS and API services

Raw Data and Downloads

Angola -- Full Collection
15 domains, ~2.2 GB total evidence

Browse

CREDENTIALS-MASTER.md
Complete technical breakdown with all credential sets, network topology, and remediation steps organized by system

View

SICOEX (hml.sicoex.gov.ao)
186 MB -- foreign trade licensing system source including OAuth2 secrets and production credentials

Browse

PRELICIMP (prelicimp.gov.ao)
490 MB -- pre-licensing import system including 299 MB trade license CSV export

Browse

SILAC (hml.silac.gov.ao)
3.8 MB -- commercial licensing authority source including SendGrid API key and MoF SIGFE credentials

Browse

SRI (internal.sri.at.gov.ao)
~57 MB per variant (three variants committed) -- civil service exam platform with 33 microservice credential sets

Browse

What This Means

Angola's exposure is a consequence of one pattern repeated at scale: Config.php files with hardcoded credentials, committed to repositories that were publicly accessible. The same CoffeeCode DataLayer PHP stack appears across SICOEX, SILAC, and the SRI platform -- a shared technical foundation that propagated the same credential-in-config pattern into multiple ministries.

The OAuth2 client secret for id.gov.ao is a systemic risk. Any service using id.gov.ao for authentication could be affected if the exposed client_secret was reused or if the identity provider does not enforce per-client secret isolation at the token endpoint.
The SendGrid API key enables email impersonation of Angola's commercial licensing authority. License approval notifications and compliance alerts to businesses are legally significant communications. A valid API key is a working credential to send those communications from the same sender identity.
The SIGFE Ministry of Finance API credential connects to Angola's government revenue collection pipeline. SIGFE handles government fee payment references. The exposed credential authenticates a service against that pipeline.
The temp.123...321 pattern across three systems indicates a credential management failure at the infrastructure level. Rotating the password in one system without auditing the others leaves the remaining systems open.

Immediate remediation steps: For SICOEX and PRELICIMP -- rotate the production database password for sicoexgov_db; revoke and regenerate the OpenID Connect client secret through id.gov.ao; rotate the SMTP credential for [email protected]; run git-filter-repo to purge Config.php files from commit history. For SILAC -- rotate the database password from 1234; revoke the SendGrid API key immediately; rotate the SIGFE Basic Auth credential; rotate the Simplifica webhook credentials. For SRI -- rotate imadmin on both training and production servers; audit all 33 microservices for the temp.123...321 pattern; run git-filter-repo across all three committed variants.

OSINT Disclaimer

This report is based entirely on open-source intelligence (OSINT). No classified information was accessed. No confidential sources were used. No systems were breached. No authentication mechanisms were bypassed. All source code and configuration files referenced in this investigation were publicly served from git repositories without access controls at the time of collection (2026).

The repositories at hml.sicoex.gov.ao, hml.silac.gov.ao, prelicimp.gov.ao, internal.sri.at.gov.ao, hml.internal.sri.at.gov.ao, and novo.internal.sri.at.gov.ao cloned without authentication and returned working-tree content including configuration files with plaintext credentials.

ODINT has notified Angola's CERT and the Ministry of Industry and Commerce concurrent with this publication, in line with our coordinated disclosure policy.

Compiled 2026-06-15 -- Classification: OSINT -- Open Source
Observatory for Digital Infrastructure and Network Transparency (ODINT)