Panama: The Denuncias Were Not Sealed -- ODINT Cyber Tour

Campaign Statistics

A sweep of Panama's government digital surface -- public git repositories associated with .gob.pa domains -- produced the following results. All data was retrieved from repositories that required no authentication.

~2 GBEvidence Collected

9Domains Audited

3CRITICAL Findings

5Systems with Live Credentials

12+Credential Sets Exposed

1S3 Bucket: Abuse Reports

1Government Twitter OAuth Token

5Ministry-Level Systems

Miami2021!!

The production database password for Panama's Ministry of Women domestic violence complaint application is a string containing the city name Miami, the year 2021, and two exclamation points. It sits in a PHP config file alongside something more significant: the full access key and secret for a MinIO S3 instance with a bucket named denuncias -- Spanish for "complaints." The bucket holds the complaint files submitted through app.mujer.gob.pa, Panama's Women's Ministry digital platform for victims of domestic abuse and gender-based violence to file formal reports.

The credentials were committed to a public repository. No authentication was required. Any person who knew to look at the .gob.pa namespace could pull the source code, read the config, and authenticate directly against the cloud storage endpoint at s3mujerapp.smspty.com -- with full read and write access to a bucket that exists specifically to receive domestic violence complaint submissions from Panamanian women.

No exploit was used. No credentials were brute-forced. No firewall was bypassed. All configuration files referenced in this investigation were publicly served from git repositories without access controls at the time of collection (2026). Five Panamanian government systems committed working production credentials to public repositories in the same sweep.

Why This Matters

The Ministry of Women finding is not a standard credential exposure. The denuncias bucket -- the word means "formal complaints" or "reports" in Spanish -- is the storage backend for complaint submissions from victims of domestic violence, harassment, and gender-based violence in Panama. The exposed MinIO credentials provide full S3 API access: list all objects, download individual complaint files, upload or overwrite existing records, and delete submissions.

A victim who submits a complaint through app.mujer.gob.pa is disclosing their identity, address, the identity of the alleged abuser, and often supporting evidence. That information was accessible to anyone who cloned the repository and read one config file. The exposure is compounded by the database credential (root user on 10.235.35.50) and SMTP credential for [email protected] in the same file, which together give access to the email channel through which the Ministry notifies complainants of case updates.

On a separate track: Panama's Administrative Attorney General -- the Procuraduria de la Administracion -- manages a legal information platform called InfoJuridica that tracks constitutional cases, administrative resolutions, and legal precedent. Its production database at internal IP 10.253.152.232 and mail server credentials were committed to a public repository in the same collection run.

A third finding involves datosalvoconductos.mici.gob.pa, operated by Panama's Ministry of Commerce and Industries. The repository for what appears to be the PROINVEX investment promotion platform committed a Twitter OAuth access token alongside consumer keys and secrets to a file named .env.example -- a file intended to serve as a credential template with placeholder values. The values in this file were not placeholders.

Targets Audited

Ministry of Women and Social Development

app.mujer.gob.pa

Panama Ministry of Women and Social Development (MIDEM) -- Domestic violence and gender-based violence complaint submission platform

Vector: Public git repository -- no authentication required Status: CRITICAL -- MinIO S3 credentials (denuncias bucket), production database root credentials, SMTP access

Administrative Attorney General

infojuridica.procuraduria-admon.gob.pa

Panama Procuraduria de la Administracion (Administrative Attorney General) -- Legal case management and constitutional information platform

Vector: Public git repository -- .env.prod committed in plaintext Status: CRITICAL -- production database credentials, SMTP server credentials

Ministry of Commerce and Industries

datosalvoconductos.mici.gob.pa

Panama Ministry of Commerce and Industries (MICI) -- PROINVEX investment promotion platform

Vector: Public git repository -- real credentials committed in .env.example template file Status: CRITICAL -- Twitter OAuth access token, consumer key and secrets, Laravel app encryption key

Small Business Authority

programas.ampyme.gob.pa

Panama Autoridad de la Micro, Pequena y Mediana Empresa (AMPYME) -- Small and medium business program management

Vector: Public git repository -- connection files committed across three subsystems Status: HIGH -- root database credentials across three databases (ampyme_programas, booking_system, cumbre)

Housing Ministry

lima.miviot.gob.pa

Panama Ministry of Housing and Land Use (MIVIOT) -- LIMA land titling and housing program system

Vector: Public git repository -- database connection committed in plaintext Status: HIGH -- production database credentials on internal IP 10.20.30.2

Environment Ministry

plantaciones.miambiente.gob.pa

Panama Ministry of Environment (MIAMBIENTE) -- CURUPIRA forestry plantation management system

Vector: Public git repository -- connection library empty; credentials stored server-side Status: INFO -- full system source code and business logic exposed; no credentials found in repository

Enumerated / No Content

galeriafotociencia.senacyt.gob.pa / e-judicial.organojudicial.gob.pa / openpty.mupa.gob.pa

SENACYT (National Secretariat of Science and Technology), Organo Judicial (Judiciary), MUPA (Urban Land Authority)

Status: Enumerated -- default template files only or no committed content; no credentials found

Critical Findings

app.mujer.gob.pa -- MinIO S3 full access credentials for Panama's domestic violence complaint storage bucket CRITICAL

Files: config.php, email_config.php System: MIDEM domestic violence complaint platform Framework: PHP / MinIO S3 SDK

The config.php file contains full MinIO S3 credentials for an instance at s3mujerapp.smspty.com with a bucket named denuncias. The credentials provide S3 API access (list, get, put, delete) to complaint files submitted by domestic violence and abuse victims through Panama's official Women's Ministry reporting platform. The same file contains the production MySQL database credential: host 10.235.35.50, user root, database midem_db. A separate email_config.php commits SMTP credentials for [email protected] -- the Ministry email account used to send case status notifications to complainants.

// config.php (app.mujer.gob.pa) // MinIO S3 -- denuncias bucket (complaint file storage) 'endpoint' => 'https://s3mujerapp.smspty.com', 'key' => '[REDACTED -- MinIO S3 access key]', 'secret' => '[REDACTED -- MinIO S3 secret key]', 'bucket' => 'denuncias', // Production database define('DB_HOST', '10.235.35.50'); define('DB_USER', 'root'); define('DB_PASS', '[REDACTED]'); define('DB_NAME', 'midem_db'); // email_config.php (SMTP) define('SMTP_HOST', 'correo.mujer.gob.pa'); define('SMTP_PORT', 465); define('SMTP_USERNAME', '[email protected]'); define('SMTP_PASSWORD', '[REDACTED]');

Browse MIDEM Data

infojuridica.procuraduria-admon.gob.pa -- Production database and SMTP credentials for Panama's Administrative Attorney General legal information system CRITICAL

Files: .env.prod, config_mail.php System: Procuraduria de la Administracion -- InfoJuridica legal case management Framework: PHP / Laravel-style env configuration

The .env.prod file -- a production environment file committed alongside the application source -- contains database credentials for the InfoJuridica platform at host 10.253.152.232, database infojuridica. InfoJuridica is Panama's Administrative Attorney General system for cataloguing constitutional court decisions, legal resolutions, and administrative precedents. A separate config_mail.php commits SMTP credentials for [email protected] on the Ministry's own mail server, providing the ability to send as the Attorney General's IT services division.

// .env.prod (infojuridica.procuraduria-admon.gob.pa) DB_HOST=10.253.152.232 DB_NAME=infojuridica DB_USER=info2019 DB_PASSWORD=[REDACTED] // config_mail.php 'host' => 'mail.procuraduria-admon.gob.pa', 'username' => '[email protected]', 'password' => '[REDACTED]', 'port' => 465, 'secure' => 'ssl'

Browse Procuraduria Data

datosalvoconductos.mici.gob.pa -- Twitter OAuth access token and consumer credentials for Panama's investment promotion authority CRITICAL

Files: .env.example System: MICI -- PROINVEX investment promotion platform Framework: Laravel

The MICI repository committed a .env.example file -- conventionally a template containing placeholder values -- with production Twitter OAuth credentials populated in place of placeholders. The Twitter access token, access token secret, consumer key, and consumer secret are all present. The access token begins with a numeric prefix corresponding to a real Twitter user account ID rather than example placeholder text. Whoever holds these credentials can authenticate to the Twitter API as the account tied to that user ID and post, follow, message, or read protected content as that account. A Laravel application encryption key was also committed in the same file.

// .env.example (datosalvoconductos.mici.gob.pa) // PROINVEX investment promotion platform TWITTER_ACCESS_TOKEN=[REDACTED -- live Twitter access token] TWITTER_ACCESS_TOKEN_SECRET=[REDACTED] TWITTER_CONSUMER_KEY=[REDACTED] TWITTER_CONSUMER_SECRET=[REDACTED] APP_KEY=[REDACTED -- Laravel app encryption key]

Browse MICI Data

High Findings

programas.ampyme.gob.pa + lima.miviot.gob.pa -- Root database credentials across Panama's small business agency and housing ministry HIGH

Files: include/conect.php, Booking/config/database.php, cumbre/admin/includes/db.php (AMPYME); conecta.php (MIVIOT) Systems: AMPYME (small business programs), MIVIOT (housing/land titling) Framework: PHP

The AMPYME platform -- Panama's authority for micro, small, and medium enterprise programs -- committed the same root database credential across three application modules. All three share an identical password on localhost, covering the main program database, a booking system, and a secondary conference management database. A fourth system, lima.miviot.gob.pa operated by the Ministry of Housing and Land Use, committed the credential for its LIMA land-titling database on internal host 10.20.30.2.

// include/conect.php (AMPYME -- ampyme_programas) $server = "localhost"; $login = "root"; $passwd = '[REDACTED]'; $db = "ampyme_programas"; // Booking/config/database.php (AMPYME -- booking_system) define('DB_HOST', 'localhost'); define('DB_USER', 'root'); define('DB_PASS', '[REDACTED]'); define('DB_NAME', 'booking_system'); // cumbre/admin/includes/db.php (AMPYME -- cumbre) $dbHost='localhost'; $dbName='cumbre'; $dbUser='root'; $dbPass='[REDACTED]'; // conecta.php (MIVIOT -- lima) $host = "10.20.30.2"; $username = "lima"; $password = "[REDACTED]"; $db_name = "lima";

Browse AMPYME Data Browse MIVIOT Data

The .env.example Problem

The MICI finding illustrates a category of exposure that is particularly durable: credentials committed to files whose names signal they are safe to commit. .env.example files are conventional placeholders -- developers are taught to commit them to share the configuration schema while keeping actual secrets out of version control. When a real credential is pasted into an example file instead of a placeholder, the file becomes indistinguishable from the benign template it is supposed to be, and the credential survives all downstream audits and repository transfers that assume example files contain no sensitive data.

The Twitter access token in the MICI file begins with a numeric prefix that corresponds to a real user account, not example text. The consumer key is a 25-character string that matches the format of production credentials rather than a placeholder value. The pattern is consistent with a developer copying a working credential set from their own environment into the example file to document what the values should look like -- without understanding that the values themselves are now part of the public record.

Internal Network Topology

The committed configuration files map three Panamanian government internal network ranges. ODINT is publishing the ranges only -- specific host addresses are in the full technical report.

10.235.x.x range -- MIDEM (Ministry of Women) production database server
10.253.x.x range -- Procuraduria de la Administracion production database server
10.20.30.x range -- MIVIOT (Ministry of Housing) internal database network

Raw Data and Downloads

Panama -- Full Collection
9 domains, ~2 GB total evidence

Browse

CREDENTIALS-MASTER.md
Complete technical breakdown with all credential sets, network topology, and remediation steps organized by system

View

MIDEM (app.mujer.gob.pa)
Ministry of Women complaint platform -- MinIO S3, database, and SMTP credentials

Browse

Procuraduria (infojuridica.procuraduria-admon.gob.pa)
Administrative Attorney General legal information system -- database and SMTP credentials

Browse

MICI (datosalvoconductos.mici.gob.pa)
Commerce Ministry PROINVEX platform -- Twitter OAuth token and Laravel app key

Browse

AMPYME (programas.ampyme.gob.pa)
Small business authority -- root credentials across three database systems

Browse

MIVIOT (lima.miviot.gob.pa)
Housing ministry LIMA land titling system -- production database credentials

Browse

What This Means

Panama's exposure is concentrated in systems that handle sensitive citizen data at the ministry level. The pattern across five systems is the same as across every country in this series: configuration files with plaintext credentials, committed to repositories with no access controls, and left there.

The MinIO S3 credential for the denuncias bucket is the most significant finding. Domestic violence complaint records carry heightened protection requirements in most legal frameworks. The exposed credentials provide full cloud storage API access to those records -- read, write, and delete -- without any secondary authentication or audit trail beyond the S3 access logs of the storage provider.
The Procuraduria database credential exposes Panama's administrative legal record. The InfoJuridica system tracks constitutional cases and administrative resolutions. Read access to the database reveals the complete case index. The SMTP credential additionally allows sending as the Attorney General's IT division.
The MICI Twitter OAuth token allows posting as a Panamanian government account. Panama's PROINVEX platform exists to promote foreign investment. A credential that permits posting to the associated Twitter/X account could be used to publish false statements, market disinformation, or impersonate Panama's commerce ministry in communications with potential investors.
The AMPYME root credential pattern indicates a shared configuration template. Three databases use identical root credentials, suggesting the same developer or deployment script was reused across the agency's systems without rotation. Root access on a MySQL server means access to all databases on that host, not just the one named in the configuration.

Immediate remediation steps: For MIDEM -- revoke the MinIO access key immediately; rotate the MySQL root credential on 10.235.35.50; change the SMTP password for [email protected]; run git-filter-repo to purge config.php and email_config.php from commit history. For Procuraduria -- rotate the info2019 credential on 10.253.152.232; rotate the SMTP password for servicesdit@; purge .env.prod from commit history. For MICI -- revoke the Twitter access token and consumer key through the Twitter Developer Portal; generate a new Laravel APP_KEY; purge .env.example from commit history and replace with a true placeholder template. For AMPYME -- rotate the root MySQL password across all three databases; audit for shared credentials on the same host. For MIVIOT -- rotate the lima credential on 10.20.30.2 and purge conecta.php from history.

OSINT Disclaimer

This report is based entirely on open-source intelligence (OSINT). No classified information was accessed. No confidential sources were used. No systems were breached. No authentication mechanisms were bypassed. All source code and configuration files referenced in this investigation were publicly served from git repositories without access controls at the time of collection (2026).

The repositories at app.mujer.gob.pa, infojuridica.procuraduria-admon.gob.pa, datosalvoconductos.mici.gob.pa, programas.ampyme.gob.pa, and lima.miviot.gob.pa cloned without authentication and returned working-tree content including configuration files with plaintext credentials.

ODINT has notified Panama's CERT and the relevant ministries concurrent with this publication, in line with our coordinated disclosure policy.

Compiled 2026-06-19 -- Classification: OSINT -- Open Source
Observatory for Digital Infrastructure and Network Transparency (ODINT)