No Authentication Required

Campaign Statistics

Two concurrent OSINT operations — Crystal Vault (federal API enumeration) and a .git exposure campaign — against Mexican government, academic, media, and state-level infrastructure produced the following aggregate results.

One Curl Command

It started with a single line in a terminal.

curl -s https://repodatos.atdt.gob.mx/api_update/

The response was not an error. It was not a login page. It was a directory listing of 177 federal agencies — every dataset published by every ministry, regulator, and public body connected to Mexico's national open data platform.

ATDT — the Agencia de Transformación Digital y Telecomunicaciones (Agency for Digital Transformation and Telecommunications) — is the Mexican government's centralized technology arm. It manages the federal data repository at repodatos.atdt.gob.mx, a platform designed to aggregate and distribute datasets from across the entire executive branch. The API was live. The endpoints were indexed. There was no authentication, no rate limiting, no access controls of any kind.

Every agency folder contained structured metadata, direct links to CSV files, and in many cases full API maps describing every available endpoint and parameter. What was supposed to be a controlled data distribution platform was, in practice, an open filing cabinet with the lock removed.

No credentials were required. No exploits were used. No terms of service were bypassed. The API was public by design — or by negligence. The result was the same.

Targets Compromised

Seven targets across federal government, state government, academic, electoral, and media sectors were compromised through two vectors: unauthenticated API access and exposed .git/ directories on production servers.

Critical PII Datasets

The federal API at repodatos.atdt.gob.mx served datasets containing personally identifiable information for an estimated 186 million+ records. The following datasets represent the most sensitive exposures, organized by severity.

SAT — 464,153 Taxpayers

The Servicio de Administración Tributaria (SAT) — Mexico's tax authority — was the single largest source of personally identifiable information in the collection. Five datasets totaling 69 MB of structured data exposed the tax records of nearly half a million individuals and organizations.

464,153 taxpayers. Names, tax IDs, addresses, phone numbers. Served as flat CSV from an unauthenticated API. One curl command per file.

UAEM Payroll Exposure

The .git exposure at uaem.mx (Universidad Autónoma del Estado de Morelos) recovered 11,605 files totaling 960 MB of production source code, including student PII databases, staff directories, and complete payroll data. The payroll files reveal biweekly compensation totaling over $60 million MXN per period (2019 data).

Additional recovered material from UAEM includes: student PII database (SOLICITUD_CONSTANCIAS table with full names, emails, student IDs, grades, and majors), staff directories, IT phone directory, payment processing system, electronic voting system, professional license system, degree generation system, and full Apache configuration with routing rules. The sole developer — Rafael Fragoso ([email protected], GitHub: norgoth) — had root access and deployed directly to production.

SFP — 809 Sanctioned Officials

The Secretaría de la Función Pública (SFP) — Mexico's Ministry of Public Administration — maintains the official registry of sanctioned government officials. The dataset exposed through ATDT contained 809 records of federal employees who had been formally sanctioned for corruption, misconduct, or administrative violations.

Each record included the official's full name, the agency they served, the type of sanction imposed, and the duration of their disqualification from public service. The sanctions ranged from temporary suspensions to permanent bans from government employment.

Among the names: Emilio Lozoya Austin, former CEO of PEMEX (Petróleos Mexicanos), Mexico's state oil company. Lozoya was at the center of the Odebrecht scandal — a continent-spanning bribery operation in which the Brazilian construction conglomerate paid $10.5 million in bribes to secure contracts with PEMEX. Lozoya was arrested in Spain in 2020, extradited to Mexico, and became a cooperating witness whose testimony implicated former presidents and senior officials.

The SFP sanctions list is, in essence, a public registry of every federal official the Mexican government has formally found to be corrupt. That it was served without authentication from an open API is consistent with the pattern across the entire ATDT platform: data that carries real consequences for real people, treated as if it were a weather feed.

INDAABIN — 1,396 Federal Notaries

The Instituto de Administración y Avalúos de Bienes Nacionales (INDAABIN) — the federal institute responsible for national property valuation and management — contributed one of the more unusual datasets in the collection: the complete registry of 1,396 federal notaries.

Each record contained the notary's full legal name, license number, office address, and jurisdiction. Federal notaries in Mexico are critical actors in property transactions, business incorporations, and legal certifications. Their identities and locations are not publicly advertised at this level of detail — or they were not supposed to be.

The exposure of a complete notary registry creates a specific risk profile. Notaries are targets for coercion by organized crime groups seeking to legitimize property acquisitions, forge corporate documents, or launder money through real estate. A bulk list of every federal notary, their office addresses, and license numbers is not merely an administrative inconvenience — it is an operational map for anyone seeking to compromise Mexico's notarial system.

Git Exposure Campaign

A parallel .git exposure campaign recovered 17 live credential sets from 6 Mexican domains, exposed 37+ developer identities, and recovered nearly 1 GB of production source code from a major public university. Seven Git repositories were discovered across GitHub, GitLab, Bitbucket, and internal Gitea instances.

The credential sets span a state electoral institute (election infrastructure), a state health department, a major university with student PII, and a large newspaper. Three external IPs with connectable database services were identified: 104.45.237.221 (Azure, IEEQ), 187.191.76.50 (IEEQ comms), and 52.117.172.166 (IBM Cloud, El Siglo). All credentials were found in committed source code, indicating systemic failure to use environment variables or secrets management across Mexican institutions.

The Durango State Prosecutor's Office (fiscalia.durango.gob.mx) runs a single WordPress install serving 24 state government agency websites including Fiscalia, DIF, Education, Health, Public Security, Civil Protection, and SIPINNA (child welfare). It runs RevSlider with CVE-2022-0441 (CVSS 9.8, authentication bypass) and CVE-2014-9734 (file inclusion). No security plugins are installed. XML-RPC is enabled.

Raw Data & Downloads

All collected data has been archived and is available for researchers, journalists, and civil society organizations through ODINT's data server.