Turkish Citizenship Database Leak (Update 2)

Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?

Seen online after a subsequently-deleted tweet called attention to it:

This paste with a link to a 6.6 GB file, purportedly containing clear-text information on 49,611,709 Turkish citizens, including the following details:

  • National Identifier (TC Kimlik No)
  • First Name
  • Last Name
  • Mother’s First Name
  • Father’s First Name
  • Gender
  • City of Birth
  • Date of Birth
  • ID Registration City and District
  • Full Address

An IP lookup places the IP in Iceland, with the owner as Flokinet Ehf, website: twistednetworks.net.
[UPDATE: a commenter points that the source I used was wrong:

First: the IP is located in Romania
Second: that twistednetworks.net has nothing to do with the hosting company Flokinet Ehf. It’s very obvious in the IP whois or even if you do a simple google search, that the host website is https://www.flokinet.is

Please check your facts carefully.

Weird… I’ll have to go back to figure out which lookup site I used that was so wrong, but thanks!

The hackers left a terse message:

Lesson to learn for Turkey:

  • Bit shifting isn’t encryption.
  • Index your database. We had to fix your sloppy DB work.
  • Putting a hardcoded password on the UI hardly does anything for security.
  • Do something about Erdogan! He is destroying your country beyond recognition.

Lessons for the US? We really shouldn’t elect Trump, that guy sounds like he knows even less about running a country than Erdogan does.

 The paste also contained the personal information on Erdogan and Davutoglu, which DataBreaches.net is not reproducing here.
DataBreaches.net did not download the massive database, and it’s not yet clear if these are old data from 2009 from a previous breach, a possibility raised by coverage of another leak noted on Daily Dot in February. If anyone can confirm whether these are old data or new data, please let me know.

Update: Turkish minister calls massive data leak report an ‘old story’:

Turkey’s communications minister has denied reports of a massive data leak containing the personal information of nearly 50 million Turkish citizens, saying the leak was an “old story” from 2010, as allegations triggered concerns over personal data protection.

“This is a very old story. A similar allegation was made in 2010,” Turkish Transportation, Communication and Maritime Affairs Minister Binali Yıldırım told reporters during a meeting with board members of the Turkish World Union of Engineers and Architects (TDMMB) on April 5.

Denied reports? “Similar allegation?” Is he saying that the data are fake or just that it’s an old leak and not new data? The reporters could have done a better job on questioning and follow-up here, but it seems that my suspicion that this was an old leak was correct.

Update: as more info comes out, it seems that yes, these are not new data, but then why didn’t the government ever investigate this leak before? Media (including this site) reported this leak more than one year ago.

Update2: Turkey’s election authority says the leak was not from their system, but the data appear to be data they had shared with others. So one down (if they’re telling the truth), and a bunch of other entities to check with.

About the author: Dissent

31 comments to “Turkish Citizenship Database Leak (Update 2)”

You can leave a reply or Trackback this post.
  1. Hendrik - April 4, 2016

    did anyone verify that dataset yet?

    • no name:) - April 4, 2016

      I can verify as a turkish person, its 100% true. My mom’s identify is correct. There is no info about me cuz i wasn’t 18 on 2009.

      • Dissent - April 4, 2016

        So this is data from 2009?

        • Leaked Turkish - April 5, 2016

          yep, it’s from 2009, this db leaked 2 times before (in this year and a few years ago) as encyripted. Encyripted version can be use with its Delphi written program named Sorgu.exe
          Someone decyripted the table and leaked it 3. time.

    • Anonymous - April 6, 2016

      i can definetly verify too. mine, my mom’s my bf’s, my boss’ are correct too…

  2. kør - April 4, 2016

    Looks like old data to me. The entry I checked is at least a couple of years old.

  3. Zzz - April 4, 2016

    How can we reach the data

  4. Ata - April 5, 2016

    phising 😉

    • Dissent - April 5, 2016

      Do you have specific knowledge that phishing was used or are you guessing? If you have specific knowledge or proof, please contact me via encrypted email or contact me on Wickr at pwr2016.

  5. a - April 5, 2016

    if u are interested in the database: [deleted]

    • Dissent - April 5, 2016

      There’s already a link to the paste in the story, and I try to avoid links in comments, as later on, they can become malicious, etc.

  6. John Doe - April 5, 2016

    > An IP lookup places the IP in Iceland, with the owner as Flokinet Ehf, website: twistednetworks.net.

    Not sure what IP whois tool are you using, but it must be one of the crappiest ever.
    First: the IP is located in Romania
    Second: that twistednetworks.net has nothing to do with the hosting company Flokinet Ehf. It’s very obvious in the IP whois or even if you do a simple google search, that the host website is https://www.flokinet.is

    Please check your facts carefully.

    • Dissent - April 5, 2016

      Noooo idea how that happened, and I’ll try to find the site again because those were the results from that site, but thanks for pointing out the error. Have corrected the post now.

      • John Doe - April 5, 2016

        thumbs up for correcting it so quickly 🙂

        • Dissent - April 5, 2016

          I know I will make mistakes on this blog, although to be wrong on an IP lookup after 17 years of looking up IP addresses is somewhat astonishing. But yeah, I will always issue a correction if an error is pointed out to me. No silent deletes, either. Public self-flogging is in order when I screw up. 🙂

  7. nope - April 5, 2016

    Data is correct but somehow old – this does not change fixed information like parent’s name or national ID
    The one who let hackers got this should do a suicide
    But they won’t even quit their jobs

    • Dissent - April 5, 2016

      Attempts by the govt to minimize the public leak by declaring it an “old story” or “old allegations” are despicable. Even if it is an old hack, identity info doesn’t change (as you note), and making this all publicly available puts people at risk. Whether a fuller database was ever for sale on some forum or not, more people are now seeing it, able to access it conveniently, and misuse it.

  8. kør - April 5, 2016

    The data is, as far as we got with our research, no older than 2008 but not newer than 2012. We will look further.

    • kør - April 5, 2016

      2008 – 2011 …I don’t know if we get it any better. We checked the records of more than 10 different people from all big cities for their topicality.

      • Dissent - April 5, 2016

        If there are data from 2011, that would mean that it’s not the previously leaked data. The commenter “noname :)” says his data weren’t in there as he hadn’t turned 18 by 2009. If 2010, 2011 data were in there, he should have found himself. Hmmm…

        • kør - April 5, 2016

          No that is not what I said. We found data that would be valid inbetween 2008 and 2011. So it cannot be older than 2008 but also not newer than 2011. 2009 is plausible here.

          • Dissent - April 5, 2016

            Ah, ok, I misunderstood, I guess. Thanks for clarifying.

  9. someone - April 5, 2016

    It’s a shame for Turkey that (Turkish Transportation, Communication and Maritime Affairs) Minister still sits on that chair and yet to resign.

    This is total weakness and not fit for the job if most important personal public information is somehow (?) leaked.

    Having said that, even if the data is very very old, everyone who can read this, knows this data belongs roughly 2009. Population of Turkey was 72.561.312 in 2009 and it was 78.741.053 last year (url to Wikipedia deleted). Change is 6 million since then. This makes that data is valid and accurate at least 92.5% accurate and correct !

  10. Anonymous - April 6, 2016

    site name??? or ip

    • Dissent - April 6, 2016

      Did you look at the paste or link to it? It’s in the story.

  11. Özdemir - April 6, 2016

    Fuck 🙁

  12. Özdemir - April 6, 2016

    I live in Turkey and this has all the correct credentials. These are the information of the people who have voted.

    • Dissent - April 6, 2016

      According to your govt, this is not a new leak. So where was the public outcry and investigation back in 2010 and 2015? Did the general public not know about this all then? I had covered some of it in 2010 here: http://www.databreaches.net/15-released-pending-trial-in-massive-id-theft-in-turkey/ and more than one year ago here: http://www.databreaches.net/weak-state-servers-breach-causes-mass-identity-theft-in-turkey-over-50-million-citizens-identity-info-stolen/

      So why are the Turkish people finding this so shocking now?

      • uluyanboga - April 7, 2016

        Its an old story. The reason why the public is so shocked about this info is now they can easily seach and find their info. At 2010 this database was released in corrupted sql form. You have to fix it and to make it searchable you should know sql language. So not many people can do this. And ofcouse meantime the goverment is very good at fogging, hiding info such as this one. In such cases the government creates news for public to direct their attention to another point. Now the database is indexed and served to people in easily searchable , understandable interface such as https://thanksgiving.who.ec/ . Public enters the website seaches themselves and gets shocked. The difference after six years is UI.

Comments are closed.