Uzbekistan is confronting allegations of a massive government data breach that may have compromised millions of citizens' personal information through the country's centralized OneID authentication system.
The alleged breach, first reported on cybersecurity forums in late January 2026, claims that hackers gained access to the "master key" of Uzbekistan's OAuth login system—the digital gateway used to access government services including the Ministry of Internal Affairs, social protection records, mortgage databases, and health information.
In Central Asia's heartland, ancient Silk Road cities navigate modern challenges of water, borders, and development. Now, rapid digitalization brings new vulnerabilities as Uzbekistan accelerates its e-government transformation.
The breach allegedly exposes highly sensitive personal data including citizens' PINFL numbers—the 14-digit national identification code fundamental to identity verification—along with names, exact home addresses, phone numbers, salary information, and mortgage details. If authentic, the leaked data could enable sophisticated identity theft and financial fraud.
"If a bad guy has your PINFL and your passport number—both of which seem to be in this leak—they can try to impersonate you to get microloans or bypass security on banking apps that use MyID for verification," warned a security analysis posted to the Uzbekistan subreddit.
The alleged compromise represents a systemic vulnerability in Uzbekistan's centralized digital infrastructure. Because OneID serves as the authentication backbone for multiple government systems, a single breach could cascade across ministries—a domino effect that highlights the risks of centralized digital identity systems in developing economies.
Rumors of government database compromises circulated as early as December 2025, focused on police systems. The government officially denied those claims at the time. However, by January 2026, cybersecurity experts were flagging millions of cyberattacks targeting Uzbekistan's digital infrastructure, according to reports from Kun.uz.
The authenticity of the breach remains unverified. Some security analysts have questioned whether the leaked data is genuine or fabricated, and spot checks of purportedly leaked information have failed to confirm individual records. It's also possible the incident involves an insider threat rather than an external hack—someone with authorized access creating panic by releasing or fabricating data.
Current security protocols may limit immediate damage. Most Uzbekistan banking and government systems now employ two-factor authentication, meaning attackers would need physical access to victims' phones to execute serious fraud. The real threat lies in social engineering attacks—scammers using leaked personal details to impersonate bank officials or government agencies in phone calls, leveraging authentic information to build trust before requesting additional credentials or payments.
Cybersecurity experts recommend that Uzbekistan citizens change their OneID passwords immediately, remain vigilant against unsolicited calls from purported officials, and never share verification codes or additional personal information over the phone—even if callers recite accurate PINFL numbers or addresses.
The incident underscores broader questions about e-government security in Central Asia. As nations across the region accelerate digital transformation to improve government efficiency and reduce corruption, they face mounting pressure to secure centralized systems that, when compromised, can expose entire populations.
Uzbekistan has pursued ambitious digital reforms under President Shavkat Mirziyoyev, who has championed economic opening and modernization since taking office in 2016. The OneID system represents a cornerstone of that digital agenda, enabling citizens to access government services through a single authentication portal.
But the alleged breach reveals the double-edged nature of digital centralization. While unified systems can streamline bureaucracy and reduce opportunities for petty corruption, they also create single points of failure with catastrophic potential when security is compromised.
For Uzbekistan—a nation of 35 million navigating the delicate balance between rapid modernization and institutional capacity—the incident serves as a stark reminder that digital infrastructure requires not just ambition but robust cybersecurity frameworks, transparent incident response protocols, and sustained investment in protecting citizens' data.
Whether this breach proves authentic or not, the episode highlights the urgent need for developing nations to prioritize cybersecurity alongside digitalization—or risk undermining public trust in the very systems designed to modernize governance.
