Saudi Games 2024 Iran-Linked Cyber Fattah Leaks 6,000+ Participant Records

• .What: Iran-linked Cyber Fattah leaked Saudi Games 2024 participant data.
• .Who: Over 6,000 athletes, officials, and event staff.
• .Data Exposed: Passport scans, medical certificates, IBANs, and IT credentials.
• .Outcome: Exploited via unsecured phpMyAdmin; faces PDPL penalties up to SAR 3M.

The compromise began no later than May 5, 2025, when the SQL database dump was created - a timestamp embedded in the exfiltrated data itself.

The pro-Iranian hacktivist group Cyber Fattah accessed the Saudi Games 2024 website's phpMyAdmin interface, a web-based database administration tool that was either entirely unsecured or protected by default credentials.

PhpMyAdmin, when exposed to the public internet without authentication, provides direct SQL query access to every table in the underlying database. The attackers required no advanced tooling, no exploitation framework, and no zero-day vulnerability.

They accessed a management interface that should never have been reachable from outside the internal network.

Once inside the database, the attackers extracted the full participant dataset: passport scans, national ID images, medical fitness certificates, bank account details (IBANs and statements), IT staff credentials including administrative usernames and passwords, and government official email addresses.

The SQL dump indicates a methodical extraction of structured data rather than a smash-and-grab operation.

The attackers maintained access for nearly seven weeks - from at least May 5 to the public disclosure on June 23, 2025 - without detection by the event's IT team or any security monitoring system.

On June 23, 2025, Cyber Fattah published the complete dataset via Telegram channels. The group operates as a pro-Iranian hacktivist collective with a history of targeting Saudi and Gulf state entities as part of the broader Iran-aligned cyber operations ecosystem.

The choice to publish on Telegram rather than a dark web marketplace indicates the primary motivation was geopolitical embarrassment and intelligence collection rather than financial gain.

The exposure of passport scans and national IDs of over 6,000 Saudi athletes and officials serves Iranian intelligence objectives by documenting the identities, health status, and financial details of prominent Saudi nationals.

• .Passport scans and national identity card images for over 6,000 athletes, officials, and event staff
• .Medical fitness certificates containing health status information
• .International Bank Account Numbers (IBANs) and bank statements
• .IT staff credentials including administrative usernames, passwords, and system access configurations
• .Government official email addresses associated with event coordination

The attack vector was remarkably unsophisticated. The Saudi Games 2024 website was running a phpMyAdmin installation that was either misconfigured or entirely unsecured, providing direct access to the underlying SQL databases without adequate authentication controls.

The attackers did not need zero-day exploits or advanced persistent threat capabilities; they walked through an unlocked door.

This breach falls within the PDPL's active enforcement period (began September 14, 2024). Article 16 designates biometric data, health data, and financial data as sensitive personal data requiring enhanced protections.

The unauthorized disclosure of sensitive personal data carries a maximum penalty of SAR 3 million (~$800,000 USD).

Article 14's requirement for appropriate technical and organizational security measures is particularly damning when the attack vector was an unsecured phpMyAdmin installation. The geopolitical dimension also engages Saudi Arabia's Anti-Cyber Crime Law.

An unsecured phpMyAdmin installation on a public-facing website gave a hacktivist group direct SQL access to passport scans, medical records, bank account details, and IT credentials for over 6,000 Saudi nationals.

The attackers maintained access for nearly seven weeks without detection. The attack required no malware, no exploitation framework, and no technical sophistication beyond knowing how to navigate a web browser.

Every failure in this incident maps to a basic, well-documented security control that was absent.

The phpMyAdmin interface was accessible from the public internet. This is the root cause. Database administration interfaces must never be exposed to untrusted networks.

PhpMyAdmin, Adminer, pgAdmin, and equivalent tools should be restricted to internal network segments or accessible only through VPN connections with multi-factor authentication.

Web Application Firewalls (WAFs) from Cloudflare, AWS WAF, or Imperva should block access to known administrative paths - /phpmyadmin, /adminer, /dbadmin - at the edge.

Even if the application firewall fails, network-level access control lists (ACLs) should restrict database management ports and paths to a whitelist of authorized IP addresses.

The difference between restricting phpMyAdmin to internal access and leaving it exposed to the internet is the difference between an application that requires physical or VPN presence to manage and an application that anyone on the planet can query.

The exposed phpMyAdmin instance either had no authentication or was protected by default credentials.

Database administration tools must enforce unique, complex credentials rotated on a regular schedule, with access governed by Privileged Access Management (PAM) platforms such as CyberArk or BeyondTrust.

PAM solutions inject credentials into administrative sessions without exposing them to the administrator, meaning the credentials are never stored in browser histories, configuration files, or plaintext documents where they can be harvested.

Multi-factor authentication must be required for all database administrative access - a TOTP authenticator app at minimum, FIDO2 hardware security keys for any system storing biometric or financial data.

The attackers maintained access for seven weeks. No security monitoring system detected the unauthorized database sessions, the SQL queries extracting passport scans and financial records, or the data exfiltration.

Security Information and Event Management (SIEM) platforms - Splunk, Microsoft Sentinel, or Elastic Security - must ingest database access logs and alert on anomalous query patterns: bulk SELECT operations against tables containing personal data, queries from unrecognized IP addresses, and access outside normal administrative hours.

Database Activity Monitoring (DAM) solutions from Imperva or IBM Guardium provide an additional layer by monitoring all SQL statements at the database level and alerting on bulk data extraction attempts.

Seven weeks of undetected access is not a monitoring gap - it is the absence of monitoring entirely.

The exposed data included IT staff credentials - administrative usernames, passwords, and system access configurations stored in the database.

Credentials stored in a database alongside the data they protect mean that a single database compromise delivers both the data and the keys to every other system those credentials unlock.

Credentials must be stored in dedicated identity management systems with bcrypt, scrypt, or Argon2id hashing, never in application databases alongside operational data.

The IT credentials exposed in this breach must be assumed compromised across every system where they were reused - and in the absence of a password manager enforcing unique credentials per service, reuse is the default human behavior.

Resecurity, Infosecurity Magazine, The Hacker News, Dark Reading, Security Affairs, DataBreaches.net