I hacked the National identity management commission of Nigeria to demonstrate the habitual lack of cyber security of the commission, and I was able to bring in a new revelation that not only the NIN data of Nigerian are poorly secured but also the confidential files and datas of all organizations that are licensed to use the NIMC verification/tokenisation platform are poorly secured by NIMC, this exposee shows numerous verifiable vulnerabilities of NIMC as evidence.

NB: This exposee was done within the ambit of the the law, Cyber crime act 2024.

INTRODUCTION
On 3–16–2024, the media reported that a website known as expressverify was monetising the recovery of national identity number (NIN) and personal information of Nigerians from the National identity management commission (NIMC) database.
Furthermore other websites like expressverify was identified, they include idfinder.com.ng, verify.ng, championtech.com.ng, trustyonline.com, and anyverify.com.
In all these data breaches NIMC stated that there was no data breach on any of it’s system or database, instead NIMC blamed Nigerians for giving out their informations by submitting their NIN and other personal information to these fraudulent websites which the commission tagged “data harvesters”.

NIMC via it’s director of IT/IDD, Lanre Yusuf said on Arise television that “NIMC is full proof against any cyber attack”, and there was never any successful hacking of it’s systems before.
(See: 
https://www.youtube.com/watch?v=G1cMZo0nJUE?si=mgO0uub)
Co-founder of Recital Finance, Bobola Ojo-Ami, stated, “Technically, it is easy to assume that there is a breach, but what seems to be happening here is a proliferation of illegal entries from third-party sources”.
(See: https://punchng.com/nimc-facing-multiple-unauthorised-accesses-to-nin-data-stakeholders/).
The Nigerian police certified that NIMC is highly secure and there was no data breach.
(See: https://punchng.com/nimc-database-secure-police/)
.
AUTHOR’S STAND ON THIS MATTER
I Ayanbe Francis Uzezi a patriot, is here to set the records straight by acting for myself and on behalf of the public to demonstrate via hacking that the data of Nigerians and third party agents are not safe with NIMC, because NIMC systems were hacked and the commission operates one of the most insecure clusters of IT infrastructures in the world. I rate NIMC zero in relation to cyber security.
For many years and still ongoing NIMC is faced with multiple and persistent cyber security attacks and breaches, because NIMC is prone to millions of cyber security vulnerabilities of which the commission denies. The concept of data harvesters is not correct and misleading, because from a layman perspective, it is impossible for a data harvesting website to capture the entire NIN data of all Nigerians, because not all Nigerians have access to or uses the internet. Even if it is possible who will update the website of the data harvesters? or any Nigerian that just got registered for NIN will be instructed to give his or her data to these sites? I am asking these questions because the database of those websites monetizing NIN of Nigerian are up-to-date, thereby signaling data breaches. So the assertion that Nigerians are the ones that gave out their NIN data to data harvesting websites is incorrect. There is no compromise from third parties agents, the breaches were due to direct unauthorized access to NIMC systems. Before I go into details I want to let the whole world know that not all Nigerians are novices when it comes to cyber security matters, I am saying this against the backdrop that some technology business owners and even the Nigerian police certified that NIMC is highly secure, without any form of verifiable or comprehensive evidence to back up these certifications.

EVIDENCE OF NIMC VULNERABILITIES.
NIMC have 72 servers in Abuja Nigeria according to the cyber security search engine shodan (https://www.shodan.io/search?query=isp%3A%22National+Identity+Management+Commission%22). Shodan lists these systems alongside their precise location meta data and vulnerabilities (https://www.shodan.io/host/102.219.223.252). This is against the assertion of Lanre Yusuf director of IT NIMC that all their systems are highly secure, infact this NIMC server (https://www.shodan.io/host/102.219.223.250) is vulnerable to over 1,000 vulnerabilities. Even the most painful part is that this server is vulnerable to a 2006 vulnerability and the security implication is that over the years old vulnerabilities have countless numbers of exploits that are mainly free to get.
Note that when shodan.io did not list any vulnerability alongside a system doesn’t mean that the system is secure, because shodan only list vulnerabilities based on two criteria namely version name and version number of a particular service, protocol or component, eg one NIMC server (https://www.shodan.io/host/102.219.223.247) is running a software called “Network time protocol version 3” that is obsolete and highly vulnerable, but this vulnerability was not listed by shodan.io meaning expertise is needed to spot other vulnerabilities not listed by shodan. The impact of this vulnerability is that if exploited an attacker can disable all encryption of all NIMC servers because server encryption is based on certificate and certificate is based on time. Network time protocol is used to synchronize time to all computers in a data center.
This negates the assertion of Lanre Yusuf director of IT NIMC, that NIMC uses the highest form of encryption.
The 72 NIMC servers in Abuja Nigeria, are used to to store API keys and host websites and proxy to other cloud servers in Germany, UK & USA etc.
When a request is made to the NIMC server here in Abuja either you will get an API key or the server will forward your request to the cloud server around the world, then the server in Abuja will also return the response it got from these servers. This is against the assertion of NIMC director of IT that all NIMC servers are hosted in Abuja when he was questioned by Rufai Oseni of Arise TV. (See 
https://www.youtube.com/watch?v=G1cMZo0nJUE?si=mgO0uub).

PROOF OF CONCEPT
In cyber security after a vulnerability is identified the next thing is a proof of concept that contains what you were able to do with this vulnerability to serve as evidence to your claim. Although step by step demonstration of how I was able to hack NIMC servers is supposed to be on this proof of concept, but I will not add it to this exposee, so as to stay safe in the path of law.
I will display some hacked files but I will redact partially any sensitive part on these files. Some of the things I was able to lay my hands on inside NIMC servers include but not limited to the following:
1. I have in my custody, the entire NIN database.

2. I have API keys, source codes and security keys. (See: https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk)

3. I also have in my custody, sensitive and confidential files of both NIMC and all companies, organizations and businesses, both private and government owned, that have direct access to NIMC Tokenisation system.
These files include emails, memos, CV of job seekers, corporate affairs commission (cac) registration documents, CAC certificates, tax clearance certificates, data protection policy documents, financial audit reports documents, request for authorization to NIMC NIN verification system documents, NIN/passport numbers of company directors, username of admin/contact persons of various organizations on the NIMC verification system etc. These files are exclusively from NIMC servers.

Affected companies and organizations include:
1. Yellow card.
2. Quidax global.
3. Binance
4. Hcwallet (fastcent or fastcoin).
5. Gtbank (Gtco).
6. Zenith bank.
7. Taj bank.
8. Titan trust bank.
9. Premium trust bank.
10. Wema bank.
11. 9payment PSB.
12. Fairmoney bureau de change.
13. Opay (paycom).
14. Fairmoney MFB.
15. FBN quest.
16. FCMB MFB.
17. Sagamu MFB.
18. Nomba.
19. SunTrust bank.
20. Now now.
21. Latfad multi ventures.
22. Gotok technology.
23. Elta solutions.
24. Orauku MFB.
25. Uni technology.
26. Spytech security guard (Based in presidential villa Abuja).
27. .
28. Chams holding.
29. Doja technologies.
30. Telecomsxchange.
31. Access bank.
32. Fidelity bank.
33. Jaiz bank, and many more.
Download this PDF file containing some redacted files i just mentioned. I displayed a small sample and redacted them for privacy reasons. (Download https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk)

NOTE: In 2022 a hacker named Sam claimed he hacked NIMC database and got a huge cache of juicy files (See https://saharareporters.com/2022/01/10/exclusive-hacker-breaks-nimc-server-steals-over-three-million-national-identity-number), so for the avoidance of doubt and speculation no file in this report was sourced from him or any other hacker. Infact the dates on the file from this my report span way back beyond 2022 up to 2024.

IMPACT OF VULNERABILITIES/HACKED FILES
1. An attacker can conduct account take over of any company or organization with direct access to the NIMC verification/tokenisation platform.

2. An attacker can generate the entire NIN database within 24 hours without any form of authentication.

3. An attacker can sell the hacked documents of third party agents at the black market, thereby exposing these organizations to impersonation, intellectual property theft, disrepute, phishing attacks, aiding of corporate wars and even kidnapping of company owners with ease.

4. An attacker can conduct sim swap attack against any Nigerian.

5. An attacker can modify the NIMC database.

6. An attacker can open fake corporate account.

7. An attacker can bypass security checks with a fake but verifiable NIN.

THE RISKS OF HOSTING DATA IN CLOUD
1. In case of data breaches, it is very difficult to secure a cloud system, only a few functionalities are available.

2. So many cloud hosting providers have vulnerable systems by design and outdated applications, eg. the cloud provider of NIMC called Digital Ocean, runs a cloud storage called Spaces bucket, and it has no log functionality, according to Digital Ocean website (https://docs.digitalocean.com/reference/api/spaces-api), meaning there is never any record whatsoever if the data stored in this cloud storage is accessed even when a malicious actor accessed the files. There is also no inventory functionality, meaning no record of uploaded or deleted files. And no MFA functionality, AT&T telecom of the USA recently witnessed a staggering data breach that affected almost all its customers due to insecure cloud server. (See: https://foundation.mozilla.org/en/privacynotincluded/articles/att-had-a-huge-data-breach-heres-what-you-need-to-know/)

3. With emergency data request (EDR) from any police or government agency, any cloud provider can submit sensitive information on its servers. Mind you malicious threat actors now spoof EDR requests to get quick access to confidential information.

4. A staff or owner of the cloud data center can copy or manipulate files without hindrance.

CAUSES OF NIMC CYBER INSECURITIES
Incompetence and corruption is a dangerous combo, and this combo is responsible for the cyber insecurities in NIMC. Confidential internal documents I got from NIMC servers points to a particular organization called “Common Identity” and an individual called “Chinedum Echendu”. Now, who are Common Identity and Chinedum Echendu? Chinedum Echendu is the lead software developer at Common Identity, an Abuja based software development company. NIMC gave the contract of seting up all it’s servers and development of all it’s IT infrastructures including websites and softwares to Common Identity, so automatically Chinedum Echendu is the lead software developer for NIMC, but the problem here is that this lead software developer called Chinedum Echendu is incompetent and NIMC is aware. There is an Isoko adage that says “When the source of a river is dirty and bad, then the rest of the entire river can never be clean or good for human consumption”. Another secret document from NIMC server is a report where Common Identity company admitted and I quote “Various errors were experienced in production even after remote testing exercises were performed during development environments.
Sprint tasks were assigned on the fly, and bugs were resolved as they were raised. This method of work seemed more reactive than proactive and hence posed issues such as task context switching and sprints aimed at product maintenance, instead of product improvement”.
The above qouted statement means that there is no effective way of catching bugs before making a system live in Common Identity Ltd.
In the heat of data breach allegations against NIMC in June 2024, the lead software developer called Chinedum Echendu when making a comment on a topic at LinkedIn.com, he repeated the same statement of incompetence in the document submitted by his company (Common Identity Ltd) to NIMC, and I quote “Building projects actually exposes you a lot of real life scenarios. You will get bugs and different errors and you will learn. Make sure these projects are live. They are proud moments” See (https://www.linkedin.com/advice/0/what-do-you-want-explore-job-roles-opportunities-programming-0tj3f) and
(https://ng.linkedin.com/in/chinedum-echendu-4b029b14b). So it is now clear that incompetence and corruption is a very dangerous combo, because if not for corruption a developer that is proud of errors bugs and vulnerabilities in production/live system is not supposed to handle the development of NIMC IT infrastructures. For any body in doubt of the exact identity of this lead developer should visit this Shodan link and search for his name (https://www.shodan.io/host/164.92.179.237) this server is a critical NIMC server that is running on expired server certificate since August 2023. Another error is that this developer is diverting email messages meant for NIMC to his personal email, which is a security breach, but my question is that who will detect all these loopholes in NIMC and all other government IT infrastructures in Nigeria? and even if detected who will take action by way of sanction? the executive, legislature and judiciary are the ones to answer these questions.
Incompetence and corruption if not killed will kill Nigeria.

RECOMMENDATIONS
1. Office of the national security advicer must contact me for a robust talk, towards securing the nation’s critical assets/infrastructures, because there are other government agencies with various degrees of cyber insecurity.

2. NIMC should get in touch with me so as to map a way forward, with a view of securing it’s IT infrastructures.
Reliance on software developers for cyber security is a wrong step to take, an expert is needed and I am ready to serve my country.

3. All companies and organizations using the NIMC verification/tokenisation platform should contact me, so that we can talk about the future of their leaked sensitive corporate files/data.

4. Federal government of Nigeria must take cyber security seriously, agencies like NIMC, EFCC, NIA, DSS, NITDA, NCC, ICPC, CBN, NDPC, NPF, ngCert, NIBSS, and the Nigerian army etc, must have real cyber security director each with proven expertise, not a mere political appointee or thug as we have it today. Advance nations don’t joke with cyber security, because modern secret service and spying depends largely on it.

3. Chinedum Echendu, the developer at Common Identity Ltd. should not see the author of report as his enemy, instead he must critically study this report and amend his short comings. Your perception of celebrating errors in programming is a big turn off for potential employers.

Source: https://medium.com/@AyanbeFrancisUzezi/nin-data-breach-2024-why-i-hacked-nimc-by-ayanbe-francis-uzezi-885216780dcb
And
https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk

Ethical hacker If you know, you know

Are we really save?

Nice one sir I really need to know you better.

Shomek:
Nice one sir I really need to know you better.

You can check my profile for my WhatsApp number, then message me.

o123456789:

You can check my profile for my WhatsApp number, then message me.

that nice

Nlfpmod Front page
Can this really get to front page ?

For those having difficulty downloading from https://drive.google.com/file/d/11Z6iOTL4wyqOgARnUVUKILu3jnxXElpg/view?usp=drivesdk permission to download the leaked file is now set to public thanks.