A hacker who goes by the name Kazu has shaken a clandestine forum by putting up for sale a database containing information on 2.5 million users registered on empleo.gob.mx, the official website of the National Employment Service (SNE), operated by the Secretariat of Labor and Social Welfare.
Kazu claims to have full access to the personal data of individuals using the platform to search for jobs: full names, ages, CURP numbers, education levels, email addresses, and phone numbers. All of this is ready to be sold on an underground forum.
In his post, the hacker is asking for \$2,000 for the database, but he also makes a more serious threat: if he doesn’t receive a \$20,000 ransom payment, he will leak all the information publicly. To prove he’s serious, he shared a JSON file containing real, structured user data, which was verified by Publimetro México.
A critical flaw left the data exposed without even requiring a password
The most alarming part of the incident is that no password or special permissions were needed to access user data on empleo.gob.mx. Literally anyone could view the information by simply making a request to the server using a basic ID number. That’s how Kazu managed to extract the personal data of 2.5 million people—without bypassing complex locks or using stolen credentials.
This marks a major difference from previous attacks carried out by the same hacker, where at least leaked passwords were needed to access government databases. In this case, the system didn’t even verify whether the person making the request was authorized. It was as if the door had been left wide open, without a lock.
Among the leaked data is highly sensitive information: full names, CURP, RFC, home addresses, education levels, job skills, and contact details. This not only compromises user privacy but also opens the door to crimes such as identity theft, job fraud, extortion, doxing, and more.
Who is Kazu?
In recent weeks, a series of cyberattacks have targeted various Mexican government agencies. The person responsible for these leaks has been very active, and their trail has already had consequences in several institutions.
Among the most recent cases is the exposure of personal data from the Secretariat of Education of Zacatecas, including sensitive information like CURP numbers, blood types, grades, and even minors’ data.
There was also a threat to release more than 73,000 documents belonging to the Attorney General’s Office of San Luis Potosí, including criminal record certificates and other confidential internal files.
Now, the new target is empleo.gob.mx, and what sets this incident apart from previous ones is the severity of the flaw discovered. In past attacks, compromised credentials or misconfigurations were required to gain access. This time, no authorized access was needed at all.
The security gap was so wide that the site’s public API allowed access to any user’s records by simply changing a number in the query. In other words, anyone could browse through personal data as if they had full system access.
This not only reveals a serious technical failure but also a total lack of basic safeguards to protect the millions of users who entrusted their information to an official government platform.
Read more: Alert in Mexico: Hacker Claims to Have 45 Million Pieces of App Data
Conclusion: A Wake-Up Call That Can’t Be Ignored
What happened with empleo.gob.mx isn’t just “another hack.” It’s a clear sign of how fragile digital security can be on public platforms in Mexico. We’re talking about more than 2.5 million people whose personal data was exposed due to a vulnerability that could have been prevented with basic security measures.
These types of failures not only expose people to real risks (fraud, extortion, identity theft), they also compromise an equally vital resource: the public’s trust in the institutions responsible for safeguarding our data.