Brinztech Alert: 4.7GB of Financial Databases from Taxes Software Leaked

Dark Web News Analysis

Cybersecurity intelligence from February 19, 2026, has identified a massive data exposure event targeting Taxes Software Argentina (taxes.com.ar), a key provider of fiscal and accounting solutions. A threat actor known as @s Montaro has claimed responsibility for extracting a massive archive containing the SQL databases of 440 different companies hosted on the platform.

The breach was not the result of a complex exploit, but rather a fundamental infrastructure failure. The attacker identified an exposed Laravel storage directory where directory listing was enabled due to a misconfigured Nginx server. This allowed for the direct, unauthorized download of:

• 4.7GB of Financial Records: Comprehensive SQL dumps containing the accounting and tax data of 440 organizations.
• Government Entity Exposure: Databases belonging to Correo Oficial de la República Argentina and Dirección General de Aduanas.
• AFIP Certificate Compromise: The actor claims to have accessed AFIP (Administración Federal de Ingresos Públicos) digital certificates, which are used for official tax filing and electronic invoicing in Argentina.
• Corporate PII: Extensive records of company employees, clients, and transaction histories.

Key Cybersecurity Insights

The breach of a tax software provider at this scale represents a “Tier 1” threat with systemic implications for the Argentine economy:

• National Security and “Fiscal Hijacking”: The potential compromise of AFIP certificates is a catastrophic event. These certificates represent the digital identity of a company before the state. Attackers can use them to issue fraudulent invoices, manipulate tax declarations, or intercept sensitive communications between businesses and the government.
• Industrialized Financial Fraud: With 4.7GB of raw SQL data, cybercriminals have a blueprint of the financial health and banking details of hundreds of firms. This information is a “goldmine” for Business Email Compromise (BEC), where attackers impersonate vendors or executives using real invoice data to redirect high-value payments.
• Infrastructure Misconfiguration as a Catalyst: The use of Laravel—a popular PHP framework—with a misconfigured Nginx server highlights a growing trend in 2026: attackers are increasingly scanning for “lazy” configurations. An enabled directory listing is the digital equivalent of leaving a bank vault door wide open and labeled.
• Logistics and Customs Disruption: By accessing data from the Customs (Aduanas) and Post Office (Correo), threat actors can gain insight into national import/export logs, shipping manifests, and sensitive supply chain movements, potentially facilitating smuggling or large-scale cargo theft.

Mitigation Strategies

To protect your fiscal identity and secure your corporate financial data following this exposure, the following strategies are urgently recommended:

• Immediate Infrastructure Hardening: Taxes Software and its clients must immediately disable directory listing on all Nginx/Apache servers. Ensure that the storage and .env directories of Laravel applications are strictly protected and not accessible via a public URL.
• Revocation and Reissue of AFIP Certificates: Every organization whose data was part of the 440 compromised databases must immediately revoke their AFIP digital certificates and request new ones. Continued use of compromised certificates allows attackers to maintain a “legal” digital presence on behalf of the company.
• Mandatory SQL User Credential Rotation: Rotate all database passwords and application-level secrets found within the SQL dumps. If any database passwords were reused for corporate VPNs or email, those must be changed immediately across the entire organization.
• Forensic Compromise Assessment: Conduct a deep-dive audit of server logs to identify the full extent of the exfiltration. Determine if the directory listing was the only entry point or if the attacker achieved persistence through a web shell or secondary backdoor.

Secure Your Future with Brinztech — Global Cybersecurity Solutions

From agile SMEs and global enterprises to national agencies, Brinztech provides the strategic oversight necessary to defend against evolving digital threats. We offer expert consultancy to audit your current IT policies and GRC frameworks, identifying critical vulnerabilities before they can be exploited. Whether you are protecting a local business or a government entity, we ensure your security posture translates into lasting technical resilience—keeping your digital footprint secure, your citizens’ data private, and your future protected.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com