The personal data of over one million Russian citizens was leaked. This data supposedly belongs to some of the Bitcoin Trader who participated in the recent blockcha-in-based electronic vote on the constitutional amendments.
The file was available for everyone to download
According to research published by Russian media Meduza, a file entitled „degvoter.zip“ containing such data was publicly available for download for at least several hours on 1 July via a government website. Since then, the file has been distributed through various groups and Telegram channels.
A bad start for Russia’s blockchain voting system shortly after it went online
The file was password protected. According to the publication, however, it could easily be hacked with a free password cracking tool.
Along with the archive, there was a password-protected database entitled „db.sqlite“. This database allegedly contained passport numbers of more than one million voters in Moscow and Nizhny Novgorod, two cities in Russia where residents could cast their votes online. The system that allowed online voting was based on the blockchain platform Exonum developed by Bitfury.
Although the data was encrypted with the SHA256 algorithm, reporters were supposedly able to decode it „very easily“ using free software. That has led them to the following conclusion:
„Considering the poor security and availability of the degvoter.zip file, the Russian government exposed the personal data of all electronic components in Moscow and Nizhny Novgorod to the public domain.“
Russia: Blockchain-based electronic voting system hacked
The reporters reportedly cross-referenced the leaked data with the official service of the Ministry of the Interior to verify the validity of the passports. They found that more than four thousand passports registered for e-voting were not valid.
Since then, the Ministry of Digital Development, Communications and Media has commented on the investigation, saying that they exclude „any possibility of leakage“, as the passwords were distributed through „secure data channels“ and only to authorized personnel.
The agency also stressed that the passport numbers were encrypted and consisted of a sequence of characters obtained at random, or hash sums, and added
„Hash sums are not personal data. The publication of random character sets cannot harm citizens.