Fake Government Portal Leaks Passports and Personal Documents of 1,100 Bangladeshis to Dark Web

A fake website impersonating Bangladesh’s official e-Apostille service has leaked the sensitive personal documents of over 1,100 citizens. The data, left exposed online for months, includes passports, national ID cards, and marriage and educational certificates.

The bogus site trapped people seeking document verification for overseas travel or jobs. Digital security experts warn that the lapse exposes serious flaws in online data management and could trigger long-term identity theft and fraud.

How the System Exposed the Data

The leak happened through a cloned website designed to look exactly like the Bangladeshi government’s official “e-Apostille” service. This service helps folks get their important papers, like diplomas and marriage licenses, ready to use in other countries.

The fake site was convincing. It operated on a “.news” domain instead of the official “.bd” domain. People, often using intermediary shops or agencies, submitted their real documents and paid for the service, not knowing it was a scam.

Here’s the shocking part. The fake site stored all the submitted documents with a basic, dangerous flaw. The system assigned each file a simple, sequential number. By just changing that number in the web address, anyone could scroll through and view another person’s most private documents.

Cybersecurity experts identify this issue as a well-known vulnerability called Insecure Direct Object Reference (IDOR). It’s the digital equivalent of putting every citizen’s file in a row of unlocked cabinets, numbered 1 through 1,100. A simple technical fix could have prevented this entire leak.

Victims Unaware and Experts Warn of Lasting Damage

The people affected had no idea their lives were exposed. When reporters contacted some of them, all confirmed the documents were real but were unaware they were publicly accessible. One woman became visibly distressed upon learning her personal information was online.

For these 1,100 people, the danger doesn’t end. Unlike a leaked password, you can’t change your passport number or your birth certificate.
Professor BM Mainul Hossain of Dhaka University explained, “Unlike a password, personal information cannot be changed once it leaks.” Once exposed, it essentially remains public forever. Should bad actors get a hold of this data, they could use it to steal people’s identities, carry out money scams, and people’s safety will be in great danger.

This isn’t an isolated case. The government’s own investigation found six different fake websites impersonating its “myGov” and e-Apostille portals. This surge in spoofed government portals is a global challenge for digital public services. This points to a systemic issue.

Just last year, threat actors allegedly put the data of 50 million citizens from the national Covid vaccine system up for sale on the dark web. In a striking contrast to these criminal uses of the hidden internet, official agencies are also leveraging its anonymity for recruitment, as seen in the recent news that MI6 launched a dark web portal to recruit secret agents.

A Bangladeshi government official, Faiz Ahmad Taiyeb, called the cloning of sites an act of “sabotage” aimed at undermining public trust. He said that data belonging to tens of millions of Bangladeshis is circulating on the dark web and being used for such sabotage.

This event makes you wonder if online government services are secure enough for people to use. Bangladesh is putting more of its services online, so experts advise that protecting people’s personal info using global rules should be the priority. If people don’t trust the system, then the whole idea of digital transformation becomes a failure.