A Bangladeshi government website leaked the personal information of citizens, including full names, phone numbers, email addresses and national ID numbers.
Viktor Markopoulos, a researcher who works for Bitcrack Cyber Security, said he accidentally discovered the leak on June 27, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CIRT). He said the leak includes data of millions of Bangladeshi citizens.
Bangladesh’s government took down the exposed data on Sunday, according to Markopoulos.
TechCrunch was able to verify that the leaked data is legitimate by using a portion to query a public search tool on the affected government website. By doing this, the website returned other data contained in the leaked database, such as the name of the person who applied to register, as well as — in some cases — the name of their parents. We attempted this with 10 different sets of data, which all returned correct data.
TechCrunch is not naming the government website because the data is still available online, according to Markopoulos, and we haven’t heard back from any of the Bangladeshi government organizations that we emailed asking for comment and alerting of the data exposure.
In Bangladesh, every citizen aged 18 and older is issued a National Identity Card, which assigns a unique ID to every citizen. The card is mandatory and gives citizens access to several services, such as getting a driver’s license, passport, buying and selling land, opening a bank account, and others.
Bangladesh’s CIRT, the government’s press office, its embassy in Washington, D.C. and its consulate in New York City did not respond to requests for comment.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Markopoulos said finding the data “was too easy.”
“It just appeared as a Google result and I wasn’t even intending on finding it. I was Googling an SQL error and it just popped up as the second result,” he told TechCrunch, referring to SQL, a language designed for managing data in a database.
The exposure of email addresses, phone numbers and national ID card numbers is bad on its own, but Markopoulos said that having this type of information could also “be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification.”
Additional reporting by Jagmeet Singh.
Correction: A previous version of this story referred to the Bangladeshi e-Government Computer Incident Response Team with the acronym CERT. In fact, the correct acronym is CIRT. This story was updated after the leak was resolved.
Do you have information about similar leaks or data breaches? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@alltechnewstime.com. You can also contact TechCrunch via SecureDrop.
