Ecuador Government — Raw User Enumeration Dump
Summary
Method: WordPress REST API
Summary: 28 Government Employee Accounts Exposed Across 8 Domains
| Domain | Sector | Users Exposed | "Oraculo" Present |
|---|---|---|---|
| ecu911.gob.ec | Emergency Services | 2 | YES (ID 1) |
| arcotel.gob.ec | Telecom Regulator | 4 | YES (ID 1) |
| aduana.gob.ec | Customs | 8 | YES (ID 1) |
| seps.gob.ec | Financial Regulator | 3 | NO |
| issfa.mil.ec | Military Social Security | 4 | NO |
| comunicacion.gob.ec | Gov Communications | 3 | NO |
| bomberos.gob.ec | Fire Service | 1 | NO |
| iess.gob.ec | Social Security | BLOCKED (403) | — |
ECU 911 — Emergency Services (ecu911.gob.ec)
| ID | Username/Slug | Display Name | Gravatar Hash | Author URL |
|---|---|---|---|---|
| 1 | oraculo |
SIS ECU911 | f8d7367bd4a440196e31cdc8844d341e2a24da7529ebd11c97a2dbf3ecbb1b33 |
/author/oraculo/ |
| 2 | tecnologiaecu911 |
Jorge Mondoza | 42682e8a63890483a70571642c8a6fca85b5393014ea581f09866c1ec57ab18c |
/author/tecnologiaecu911/ |
Exchange Server: webmail.ecu911.gob.ec — Exchange 2013 (build 15.0.1497, EOL April 2023)
WP-Statistics API: Exposed at /wp-statistics/v2 — hit tracking, online user monitoring
ARCOTEL — Telecom Regulator (arcotel.gob.ec)
| ID | Username/Slug | Display Name | Gravatar Hash | Author URL |
|---|---|---|---|---|
| 1 | oraculo |
oraculo | 751e90e92108044bd3daae8774753201 |
/author/oraculo/ |
| 6 | comunicacion-arcotel |
Comunicación Arcotel | 21fa1a324d3cfce0f5dba70b23a8ce4e |
/author/comunicacion-arcotel/ |
| 10 | comunicacionredes |
ana torres | 21fa1a324d3cfce0f5dba70b23a8ce4e |
/author/comunicacionredes/ |
| 13 | decs-davidarrollo-2021 |
Sofy Zurita | ab8e098142f00f85e182837be5c2c759 |
/author/decs-davidarrollo-2021/ |
Internal IP leaked: 172.20.1.172 Zero security headers Note: comunicacion-arcotel and comunicacionredes share same gravatar hash — same email address
ADUANA — Customs (aduana.gob.ec)
| ID | Username/Slug | Display Name | Gravatar Hash | Author URL |
|---|---|---|---|---|
| 1 | oraculo |
oraculo | (gravatar) | /author/oraculo/ |
| 2 | cargonza |
Carlos Gonzalez | (gravatar) | /author/cargonza/ |
| 3 | jcortez |
Jackson Cortez | (gravatar) | /author/jcortez/ |
| 4 | dizamora |
Didimo Zamora | (gravatar) | /author/dizamora/ |
| 5 | gicordo |
Giovanny Cordova | (gravatar) | /author/gicordo/ |
| 6 | garellano |
Galo Arellano | (gravatar) | /author/garellano/ |
| 8 | mquiroga |
Miguel Quiroga | (gravatar) | /author/mquiroga/ |
| 23 | rasanchez |
Ronald Sanchez | (gravatar) | /author/rasanchez/ |
8 customs employees with full names exposed — username pattern is first-initial + last-name abbreviation (easy to predict for other employees)
SEPS — Financial Regulator (seps.gob.ec)
| ID | Username/Slug | Display Name | Gravatar Hash | Author URL |
|---|---|---|---|---|
| 1 | admins3ps2021 |
Alejandro | 189aa690dab1958e913f0e0c76c09922b44e61fe7d142477b28a659d44b7ffde |
/author/admins3ps2021/ |
| 3 | inhuman_ec |
Roque Proaño | d3ee08689c090114dd5ac0b752215e61caa20a6ebe350b20a7f1642712205c46 |
/author/inhuman_ec/ |
| 5 | simbiontec |
Alejandro Lozano | 5728838db31fa878d23fcf7be73301499e52e1d0bff435819ffeaf1b2dc594fe |
/author/simbiontec/ |
admins3ps2021 — year in admin username suggests predictable credential pattern simbiontec — Ecuadorian web development agency (external contractor on financial regulator) inhuman_ec — likely another contractor
ISSFA — Military Social Security (issfa.mil.ec)
| ID | Username/Slug | Display Name | Gravatar Hash | Author URL |
|---|---|---|---|---|
| 1 | webmasterft |
webmasterft | c3a3aae51d79865f4d40b7189d73ab4d |
/author/webmasterft/ |
| 2 | gestion |
Gestion Publicidad | 5def94b89fb282ad3cc21cf02c8531f9 |
/author/gestion/ |
| 5 | issfa-editor-1-anita |
Anita Villarruel | a7c6d682fd3fca924ba1720a42fed14a |
/author/issfa-editor-1-anita/ |
| 6 | issfa-editor-2-sebastian |
Sebastian Cardenas | b1b1256a936e2a8328c9b80eb83faed3 |
/author/issfa-editor-2-sebastian/ |
WordPress 6.2.2 (2+ years outdated) eDoc system uses RSA 1024-bit (weak) Military personnel names exposed — Anita Villarruel, Sebastian Cardenas
COMUNICACION — Government Communications (comunicacion.gob.ec)
| ID | Username/Slug | Display Name | Gravatar Hash | Author URL |
|---|---|---|---|---|
| 1 | administrador |
administrador | 9828b784c83bec77a42383037d2e8fbf761b4695ed17f22ac98dff0145a64d62 |
/author/administrador/ |
| 20 | simon-feijoo |
Dirección de Comunicación Digital de Gobierno y Cobertura | 5c0072d96d157bb4cc8ddd23cc0d11be4cef2de6a9c859f06a8a1cdf61be35c2 |
/author/simon-feijoo/ |
| 24 | comunicacion-digital |
Comunicacion Digital | 4604fb84ea7d33c25ecd7c3796dd097a077e363e8f39a116523f1579a0e3feeb |
/author/comunicacion-digital/ |
simon-feijoo — real person name exposed as slug, display name reveals government department title
BOMBEROS — Fire Service (bomberos.gob.ec)
| ID | Username/Slug | Display Name | Gravatar Hash | Author URL |
|---|---|---|---|---|
| 1 | admin_9hkvwa61 |
Juan Coronel | 2ca2d61359be9e9fd59f44a68750cad87a5e40cb36bac09e09485a9a86cf38f6 |
/author/admin_9hkvwa61/ |
Internal services exposed on homepage: 181.198.122.46:80 (Biotime attendance), 181.198.122.46:8069 (ERP/Odoo)
"Oraculo" Vendor Tracking
The oraculo account appears as User ID 1 (WordPress superadmin — the first account created during installation) on:
| Site | Display Name | Gravatar Hash |
|---|---|---|
| ecu911.gob.ec | SIS ECU911 | f8d7367b... |
| arcotel.gob.ec | oraculo | 751e90e9... |
| aduana.gob.ec | oraculo | (different) |
Different gravatar hashes = different email addresses used per site, but same oraculo slug = same vendor/deployment tool.
The oraculo WordPress plugin source code is publicly available on the Ecuador government GitLab (minka.gob.ec) and contains:
- Hardcoded password:
SNAPsitio30v - Hardcoded salt:
ALRTOPER984TNMGDGFDH - SQL injection vectors in ajax_selects.php and procesarContacto.php
- Deprecated MCrypt encryption (SHA256-based)
- No CSRF protection on form handlers
- No input sanitization on database queries
This single vendor/plugin represents a systemic supply chain vulnerability across Ecuador's entire government web infrastructure.