A database containing over 500,000 email and password combinations was published for free on Telegram, and what's most alarming is that this is just a small fraction of something much larger. An automated bot within the same platform claims to have access to more than 17.5 million credentials linked to Mexican services and platforms.
The risk goes beyond personal account access: many of these credentials grant direct entry to official government portals, from which users can download payroll receipts, XML files, and even ZIP archives containing tax and personal information. This not only puts regular users at risk, but also public officials, exposing them to fraud, identity theft, and other cybercrimes. The most concerning part isn't just the scale of the leak, but how vulnerable we still are to simple security oversights.
The leak includes active credentials for official government portals with the .gob.mx domain. (Source: Publimetro)
The Leak: Half a Million Unprotected Logins
The leaked file was named “[MX]-URL_LOGIN_PASS.txt” and contained exactly 503,258 entries. Each line included a website address, a username, and a password—everything in plain text, completely unprotected. The domains ranged from private companies to portals from the SAT, universities, banks, and even government systems with .gob.mx extensions.
What’s especially concerning is that many of these credentials were fully exposed, with no encryption whatsoever. In numerous cases, people used their personal Gmail or Outlook addresses along with extremely simple passwords. In others, the combinations included RFCs, student ID numbers, or public servant credentials, making them even more sensitive.
Perhaps the most shocking part is that this file wasn’t sold—it was given away. It was published in a Telegram channel with nearly 16,000 followers as if it were a free sample. Similar databases from countries like Argentina, Poland, and the Philippines were also circulating there. The Mexican file was the second largest, nearly 49 MB in size.
The reason? A strategy to attract more users to a bot called MoonSearcher, a paid tool that allows users to search for leaked credentials by country, domain, email, or type of information. In short, half a million logins were given away just to promote a service that traffics in stolen data.
Read more: Hackers Sell Access to .gob.mx Site for 300 Dollars
MoonSearcher: The Google of Stolen Data
MoonSearcher is a bot that operates 24/7 on Telegram. It is marketed as an “innovative tool” for searching leaked databases, but in reality, it's a search engine for stolen credentials. The term they use is ULP (URL, Login, Password), a concept well-known in cybercrime circles.
This bot lets users search by data type—for example, just emails with passwords, or access credentials to platforms ending in domains like .edu.mx or .gob.mx. For more specific searches, it charges starting at $70 per query. According to its own promotions, it holds over 17.5 million Mexican credentials in its database.
What makes it especially dangerous is its speed: it responds in seconds, filters out duplicates, and even allows searches by country or language. Essentially, it puts the ability to select a target and obtain their active credentials on a silver platter for anyone.
Official Platforms at Risk: Payroll and Tax Data Exposed
One of the most alarming aspects of this leak is that some of the exposed credentials are functional and allow direct access to government portals. One such site is the Human Capital portal of Mexico City, where employees can download their payroll receipts, XML files, ZIP archives with tax information, and even certificates for asset declarations.
What kind of data is exposed there? Virtually everything: RFC, CURP, full name, job title, administrative unit, base salary, benefits, deductions, type of contract, and employee number. In some cases, the credentials even grant administrative privileges, such as generating ID cards or updating personal information.
This portal operates under the domain i4ch-capitalhumano.cdmx.gob.mx, which is also listed in the leaked file. That confirms the credentials are real, and many of them were still active as of the last check on May 19, 2025. If those passwords haven’t been changed since then, many of them may still work, opening the door to unauthorized access and theft of sensitive information.
Several leaked passwords grant direct access to Mexico City's Human Capital portal, allowing downloads of XML and ZIP files.
Read more: Russian Hackers Sell Passports and Selfies of Mexicans on Telegram
A Risk That Goes Much Further: Universities, Government, and Even Banks
The leak isn't limited to just a few portals—it also includes access credentials for universities such as UNAM, IPN, UABC, and UAEH, as well as federal institutions like the SAT, SEP, CFE, Condusef, and Infonavit. Just the entries linked to .gob.mx domains amount to over 245,000—nearly half of the entire exposed database.
But it doesn’t stop there. The data set also includes credentials for Mexican banks like Banorte, HSBC, and Banco del Bienestar, as well as betting platforms, delivery companies like Estafeta, and various streaming services, telecom providers, and online stores. In short: if you have an account with any of these entities, you might be on the list.
This leak is not just another headline—it’s a wake-up call for everyone. It doesn’t matter if you’re a government employee, student, worker, or just someone who reuses the same password “as always” across multiple platforms.
If you suspect your data may have been compromised (or just want to play it safe), the first thing you should do is change your passwords—especially if you use the same one across different services. Avoid obvious passwords like birthdates or simple combinations such as "123456."
Additionally, enable two-factor authentication (MFA) on every platform that supports it. That extra layer can be the difference between a secure account and one that’s compromised. Even if it feels like a hassle, it protects you—even if someone manages to get hold of your password.
