A new massive data leak has set off security alerts in Mexico: more than 49 thousand login credentials to official portals with .gob.mx domain (including platforms such as SAT, ISSSTE, empleo.gob.mx and Mexico City government systems) were published on Telegram channels by a group calling itself “SATANIC CLOUD”.
The file, which is circulating freely, contains complete combinations of websites, emails and passwords in plain text. What is most alarming is that many of these passwords still work, allowing access to real accounts of Mexican citizens without any barriers.
The leaked file has an already creepy name: 22M URL-LOGIN-PASS 22.05.2024 SATANIC CLOUD.txt. It weighs 1.5 GB and comes in plain text, with over 22 million lines. Yes, you read that right. From all that sea of data, the following were detected:
49,340 records related to Mexican government sites (.gob.mx).
53,600 records linked to .com.mx pages.
The file format is as simple as it is dangerous: URL: email: password
Real example: https://sinat.semarnat.gob.mx/:usuario@dominio.com:contraseña123
The worst part? Many of these passwords still work. When analyzing the file, it was found that the most affected is SAT, with 23,712 compromised logins. But it is not the only one:
CDMX Government: 961 accounts.
ISSSTE: 533 leaked passwords
Employment.gob.mx: 649 active combinations.
These are not just any sites. They all handle sensitive information: personal data, income, work history, medical and social services. If someone accesses that account, they can not only see your information, but also use it. The potential damage is enormous.
Read more: Hackers Infect Devices with Malware by Charging 100 Pesos
As unbelievable as it sounds, some of the leaked passwords still work. It was confirmed that at least part of the credentials are valid and were used to log into real accounts on government portals, such as ISSSTE's, where even Single Electronic Files dated May 22, 2025 were downloaded. These files are not just anything: they contain super sensitive information such as:
CURP, RFC, NSS, address, gender and marital status.
Salaries, job titles, contribution history and type of contract.
Family members' data (names, relationship, CURP, entitlements)
Assigned medical unit and ISSSTE delegation
Information on pensions and affiliations to FOVISSSTE
In other words, if someone with bad intentions gains access, they have everything they need to supplant you or give you a very hard time.
Although there is no official source confirmed, everything indicates that the credentials were stolen using infostealer malware. This type of malware gets into your computer or cell phone without you realizing it, and it usually does so through:
Downloaded files (such as cracks, fake PDFs or infected forms).
Cloned websites that mimic official government websites
Phishing campaigns on social networks
Once the infostealer is installed, it does its work silently:
It extracts all the passwords saved in your browser.
Steals session cookies (those that keep you logged in)
Checks and copies downloaded or saved documents
Then, the attackers put it all together in giant files like the one that was leaked, known as combolists. They share them for free to gain notoriety or attract buyers, and then sell more “valuable” assets or launch more targeted attacks. Yes, like it's a business. Because it is.
The figure is frightening: more than 23 thousand accesses linked to the SAT portal. But before panicking, let's put things in context. The SAT has been updating its system and strengthening its security in recent months. Many of the web addresses that appear in the leak are no longer active or were redirected to new internal routes.
That means that, in many cases, those passwords probably no longer work directly to enter the current SAT portal. But beware: this does not render them harmless. Why? Because that data can still be very useful to attackers. For example:
They can use them to try to recover passwords via email.
They could impersonate you on other sites.
Or launch more personalized attacks using what they know about you (called “social engineering”).
Read more: Hacker Who Doxed Sheinbaum Leaks Data on 17 Million Mexicans
Because we are not talking about an old leak, nor about a file “for bothering”. It is a database with real accesses, that work in several cases, and that allow to enter official platforms where there is current information and documents with legal validity. In short: it doesn't matter if a specific URL is no longer useful. If your data is there, you are still at risk.
If you got the doubt (or the scare) that your account could have been in that leak, the best thing to do is to act fast. Here are some steps you can take:
Change your passwords now. Especially if you use the same password for other sites (yes, we know many do). Don't wait for someone else to do it for you.
Turn on two-factor authentication (2FA). It's that option that prompts you for an extra code via message or app, and trust us, it can save your account.
Check recent logins on your government portals. If you see something weird or a login that wasn't you, report it.
Do you have doubts about an official document? Don't hesitate: go to your ISSSTE office or to the corresponding institution.
Check if your email was filtered using tools such as HaveIBeenPwned.com. Just enter your email and it will tell you if it appeared in any hacked database.
The important thing here is not to wait. A compromised account today can become a headache tomorrow.