A recent post on a cybercrime forum has drawn attention after a threat actor identified as HFMTM claimed to have published the complete database of GoBus, one of Egypt’s transportation booking platforms.
According to the threat actor, the alleged data was obtained within the past two weeks and includes a 16 GB SQL database containing information on approximately 1 million users, including email addresses, phone numbers, hashed passwords, and customers’ ride histories. The actor also claims to have released an additional 4 GB archive containing internal documents related to drivers and employees.
Unlike many cybercrime incidents where threat actors only claim to possess stolen data, the actor in this case has published what they claim is the complete dataset. However, the authenticity of the files and their attribution to GoBus have not been independently verified, and no public statement from the company confirming or denying the claims had been identified at the time of publication.
If the published data is genuine, the impact could extend beyond exposing contact information. Ride histories may reveal travel habits, frequently visited destinations, and travel schedules. Combined with email addresses and phone numbers, this information could enable highly convincing phishing, identity fraud, and other social engineering attacks.
For example, an attacker could contact a customer claiming there was a problem with a recent GoBus trip or that a refund is being processed, then request a one-time password (OTP) or payment details. Because the caller may already know details about the customer’s journey, the request could appear legitimate.
The dataset is also claimed to include hashed passwords. While hashing provides an additional layer of protection, weak passwords may still be cracked, and passwords reused across multiple services could expose users to credential stuffing attacks, allowing attackers to test the same credentials on email, banking, shopping, or social media accounts.
Even when an alleged breach has not been independently confirmed, cybercriminals often exploit public attention surrounding such incidents to launch phishing emails, text messages, and fraudulent phone calls.
Individuals who have used the platform are encouraged to:
- Monitor official communications from GoBus for updates.
- Be alert for phishing attempts, especially unexpected calls, emails, or SMS messages about trips, refunds, or account verification.
- Never share passwords, OTPs, or payment information with anyone.
- Change reused passwords and enable multi-factor authentication (MFA) wherever available.
- Avoid clicking links received through unsolicited messages.
Although this incident specifically concerns GoBus, the lessons apply to all online services. Until independent verification or an official statement becomes available, the reported breach should be treated as an unverified claim, while users remain vigilant against potential phishing and fraud attempts.
