On April 27th 2025, an annonymous user on DarkForums tried to sell a database of allegedly over 10 million Movistar Venezuela user data. I first learnt about this through Twitter, and then spent the next few days lurking on DarkForums gathering info.

At first, the annonymous user posted a sample of just 1000 records, which wasn’t enough to really conclude the veracity of their claims. However, a couple of days later they released a big chunk of data to the public. So as we usually do in VE sin Filtro when these kinds of incidents happen, we start to investigate.

Unfortunately for me, the data dump ocurred after midnight in Europe, so I ended up staying up well past 3:00 am. I spent the next few hours making sure the data was legit, and not just some randomly generated garbage. Obviously, it turned out being real or I wouldn’t be writing this today.

For those who are unfamiliar with Venezuelan national IDs, they are just sequential integer numbers that go from 1 (hi, Medina Angarita) to over the 35 million mark. Every registered Venezuelan should have an unique ID, or cédula de identidad (yes, I know this is not entirely true in practice due to government incompetence, but this is completely irrelevant to what I’m talking here today).

As you can see, because of their nature, Venezuelan IDs aren’t meant to be confidential. Before the government decided to take down the CNE (Consejo Nacional Electoral) website after the 2024 presidential elections, it was possible to look up personal identifiable information of any Venezuelan registered to vote, including their local voting center. As a fun fact, since my mother has always been paranoid, and rightfully so, I didn’t register to vote near my home but instead I used to Pokémon-go-to-the-polls in a completely different area of Caracas.

Anyways, back to the Movistar leak.

The threat actor uploaded a 450 MB CSV file containing 4.376.106 rows. Each individual record in the database contained the following: national ID, full name, phone number, city, user ID, billing account ID. The number of unique national IDs found in the leak was 3.252.600.

I quickly noticed that each data entry represented an unique user and phone number pair. This means that the same phone number could appear several times in the database, but tied to different users each time. Usually mobile service providers reuse phone numbers when a client stops paying for their line, so it’s normal that they get reassigned to other people and therefore we see the same numbers.

Thankfully the data was organized, unlike the Digitel leak from 2024, which made everything easier. Once I confirmed that the national IDs and the names matched, I started looking at phone numbers from people I know IRL. Every single Movistar phone number in my contact list that appeared in the leak, correctly matched the owner of said number. I also did some OSINT work to see if other records matched with the expected owner. I got the help from other people in the team for this crosschecking task (except from Andrés, who was conveniently doomscrolling with his notifications turned off that night).

I know that at this point I only had a very small subset of verified phone numbers compared to the huge size of the leak, however it was very convincing evidence that the whole thing was real. We also analyzed other patterns in the data such as national ID frequency and distribution, and we noticed that the publicly available leak didn’t cointained any national IDs ranging from 4.000.000 to 16.000.000.

[GRAPH]

We also checked the geographical distribution of the users in the database, and it matches pretty acurately with the population density in Venezuela.

[GRAPH]

Note: There aren’t any Movistar offices in Vargas, so it makes sense that the leaked database shows 0 users from that state. Shout to my friend M for confirming that La Guaira queda lejos.

Once I was 99.99% sure the data was real, I reached out to other colleagues in the digital rights space. Every single time a match popped up in the database, the information related to the user was accurate, even the billing account IDs. This type of information is only available to users and Movistar itself, so the fact that we were able to cross check data from the leak with real user accounts information was the final confirmation we needed.

¡Mosca con tu info!

We’ve had this idea for a while of creating a Have I Been Pwned clone but for Venezuelan data breaches. The never ending pile of work I have always got in the way of actually building anything meaningful, but I finally decided to stop whinning about and just ship it (I hate when I sound like a tech bro).

I’m not great at web development, my streghts have always laid somewhere else. However, the task was very simple and seemed pretty straightforward, right? (right??). I took this opportunity to hop on the vibe coding train, but I had to make sure that this thing was secure and reliable enough.

Before I even wrote a line of code, the first thing I did was cleaning up the database and break the relation between data types, making sure it’s not possible to link a phone number to any other personal information. The idea is to have a list of cédulas and phone numbers as keys, whose value is a list of all the breaches they were found. As of May 2025, only the Movistar leak has been added to the DB, but I’m planning to add data from other public leaks such as the Digitel one from 2024.

I decided to use Redis as the database and ended up with over 5.8 million individual records.

Now that I

Telefónica is a criminal company

I have a lot to talk about regarding Movistar/Telefónica. They aren’t just one the biggest internet censors in Venezuela just after the state-owned CANTV, but they have been breaking havoc in Spain for the last few months by blocking thousands of IP addresses every time there is a damn soccer match. Yes, IP addresses, not domains. They are blocking IPs from Cloudflare, Vercel, Github… you name it. It’s insane to me that legal actions haven’t been successful at stopping this madness, but I don’t expect anything else when the Spanish government owns %% of the company. Real mafioso behavior.

Besides internet blocks, Movistar also collaborates with the Maduro regime by giving it information about their Venezuelan users. Telefónica admitted handing over data of over 5 million cellphone lines, which represents 20% of their total user base in the country. We’ve covered this in 2023, and since then they have stopped talking about Venezuela in their “transparency” reports altogether.

I’m planning on talking more about Telefónica in the future, but for now let me just end with: fuck them.