Brinztech Alert: Alleged Database of BSNL (18 Million Records) is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of a database allegedly belonging to Bharat Sanchar Nigam Limited (BSNL), India’s state-owned telecommunications company. The dataset is sized at 1.9 GB (CSV format) and reportedly contains 18 million user records.

Brinztech Analysis:

• The Data: The leak includes highly specific subscriber details: Phone Numbers, Full Names, Email Addresses, Gender, and SIM Activation Outlets. The inclusion of “SIM activation outlets” suggests this data might originate from a compromised regional distributor, a legacy KYC database, or a third-party vendor managing BSNL’s point-of-sale systems.
• The “Leak Date: 2025” Tag: While the user prompt notes this as “peculiar,” in the current timeline (December 1, 2025), this indicates the data is being marketed as fresh and active.
• Context: BSNL has faced a systemic cyber-crisis throughout 2024 and 2025. This alleged 18M record breach follows the confirmed May 2024 breach (278GB) involving the threat actor “kiberphant0m” and the December 2023 breach (2.9M records) by “Perell.” This new listing likely represents either a fresh exfiltration or a massive aggregation of data that was previously “private” in the underground economy.

Key Cybersecurity Insights

This alleged data breach presents a critical, nation-scale threat to Indian citizens and government infrastructure:

• Massive SIM Swapping Risk: The exposure of Phone Numbers linked to SIM Activation Outlets is the “holy grail” for SIM swapping gangs. Attackers can use this location data to answer security questions (e.g., “Where did you buy your SIM?”) to hijack phone numbers and bypass 2FA on banking apps.
• Elevated Risk of “Digital Arrest” Scams: With full names and government/B2B affiliation data potentially exposed, attackers can launch highly targeted vishing (voice phishing) attacks. Scammers often pose as police or TRAI officials, claiming the victim’s “SIM is linked to illegal activity”—a scam epidemic currently plaguing India.
• Critical Infrastructure Implications: As a state-run telecom, BSNL provides connectivity to government offices, defense installations, and rural banking networks. A breach here exposes the contact details of sensitive personnel, creating a vector for espionage or Business Email Compromise (BEC).
• Regulatory Crisis (DPDP Act): If confirmed, BSNL faces mandatory reporting obligations under the Digital Personal Data Protection (DPDP) Act, 2023. Failure to secure the data of 18 million citizens could result in penalties of up to ₹250 crore.

Mitigation Strategies

In response to this claim, BSNL subscribers and connected organizations must take immediate action:

• Enhanced User Education (SIM Swap/Fraud): BSNL must launch an immediate awareness campaign warning users about “SIM Block” or “KYC Update” scams. Users should be advised never to share OTPs or click links in SMS messages claiming their number will be disconnected.
• Implement Phishing-Resistant MFA: Users should migrate away from SMS-based 2FA wherever possible. Enable App-based Authenticators (Google/Microsoft Auth) or hardware keys for banking and email accounts to neutralize the SIM swapping threat.
• Internal Security Audit: BSNL needs to conduct a forensic audit to identify if the “1.9GB” exfiltration originated from a specific API endpoint or a third-party vendor (the “SIM activation outlet” field is a strong lead).
• Proactive Fraud Detection: Financial institutions in India should flag BSNL numbers for higher scrutiny regarding SIM change alerts or unusual transaction patterns, given the high volume of exposed data.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com