Chilean Joint Chiefs of Staff (EMCO) Guacamaya leak

In September 2022, the hacktivist collective Guacamaya disclosed a sweeping breach of Chile's Estado Mayor Conjunto (EMCO) — the Joint Chiefs of Staff responsible for the armed forces' intelligence, operations, and logistics — leaking a decade of military email and exposing some of the country's most sensitive defense material.

What happened

Guacamaya exfiltrated the contents of 162 EMCO email accounts, yielding more than 400,000 messages sent and received between 2012 and May 2022, with the bulk concentrated from 2018 onward. The leak was released to journalists and published in collaboration with investigative outlets including Chile's CIPER and the DDoSecrets transparency consortium.

According to the hackers, a Chilean cybersecurity company had warned EMCO of an exploitable vulnerability in August 2021, but the agency "chose to leave it open." The intrusion is widely associated with the exploitation of an unpatched flaw in internet-facing infrastructure — consistent with the Zoho ManageEngine ADSelfService Plus vulnerability (CVE-2021-40539) that Guacamaya used against several Latin American military and government targets in the same campaign.

What was exposed

The trove included highly sensitive operational documents, among them EMCO reports sent in 2021 and early 2022 to the Defense Minister detailing the daily security situation in the Biobío and La Araucanía regions — including deployed troop numbers, operational vehicles, patrol locations, critical-infrastructure protection points, and event reports. Internal correspondence on intelligence, procurement, and inter-service coordination was also exposed.

Part of a regional campaign

The EMCO breach was one chapter in Guacamaya's massive "Fuerzas Represivas" release, which dumped terabytes of data stolen from military and police institutions across Mexico, Peru, El Salvador, Colombia, and Chile. The group framed its actions as anti-imperialist hacktivism aimed at exposing state repression and the militarization of Latin America, declaring it would hand the data "to those who can legitimately do something with this information."

Why it matters

The Guacamaya leak was an unprecedented compromise of Chilean national-security information and triggered a political crisis: it contributed to the resignation of the head of the Joint Chiefs of Staff and intensified scrutiny of the armed forces' cyber hygiene. The most damning detail — that EMCO had been warned of the vulnerability more than a year earlier and declined to remediate it — made the incident a defining example of how unpatched, internet-exposed enterprise software can hand an entire defense apparatus to hacktivists. It accelerated Chile's push toward a national cybersecurity framework and dedicated state cyber-defense capabilities.

Timeline

August 1, 2021

A Chilean cybersecurity firm reportedly warns EMCO of an exploitable vulnerability; the agency leaves it unpatched.

May 1, 2022

Guacamaya's exfiltration of EMCO mailboxes captures messages up to this date, the most recent in the trove.

September 22, 2022

Chilean outlet CIPER and the consortium reveal Guacamaya breached EMCO, exposing over 400,000 emails from 162 accounts.

September 23, 2022

Guacamaya publicly claims the attack as part of its 'Fuerzas Represivas' release against Latin American militaries and police.

September 28, 2022

Investigative reporting reveals the hackers say EMCO 'chose' not to fix the flaw that enabled the intrusion.

Sources

ciperchile.clhttps://www.ciperchile.cl/2022/09/22/hackeo-masivo-al-estado-mayor-conjunto-expuso-miles-de-documentos-de-areas-sensibles-de-la-defensa/

es.wikipedia.orghttps://es.wikipedia.org/wiki/Hackeo_al_Estado_Mayor_Conjunto_de_Chile_de_2022

biobiochile.clhttps://www.biobiochile.cl/especial/bbcl-investiga/noticias/reportajes/2022/09/28/hablan-hackers-revelan-que-estado-mayor-conjunto-eligio-no-reparar-falla-que-posibilito-ataque.shtml

expansion.mxhttps://expansion.mx/mundo/2022/09/30/hackeo-ejercito-chile-guacamaya

Related incidents

Data breachResolvedDecember 26, 2022

RailYatri data breach (2022)

In December 2022, India’s government-approved online travel agency RailYatri suffered a data breach. The incident impacted over 31M customers and exposed 23M unique email addresses. Also impacted were names, genders, phone numbers and tickets purchased, including travel information and fares.

Victim: RailYatri
Records: 23.2M

Data breachunresolvedJuly 3, 2022

Shanghai National Police database leak

An exposed Shanghai Public Security Bureau database left a hacker known as 'ChinaDan' offering 23 terabytes of data on roughly 1 billion Chinese residents — names, national ID numbers, phone numbers, addresses and police case records — for 10 bitcoin, in what is widely regarded as the largest government data breach in Chinese history.

Victim: Shanghai National Police (Shanghai Public Security Bureau)
Records: 1.00B

Data breachOngoingJune 14, 2026

ShinyHunters claims theft of 297GB of Council of Europe payroll and HR data via Oracle PeopleSoft zero-day

The extortion group ShinyHunters claimed it stole roughly 297GB of payroll, HR and financial records belonging to more than 10,000 current and former Council of Europe staff by exploiting the Oracle PeopleSoft zero-day CVE-2026-35273, prompting the intergovernmental body to investigate.

Victim: Council of Europe

Data breachContainedJune 2, 2026

World Food Programme breach exposes data of 600,000 Gaza households (2026)

The UN World Food Programme disclosed that attackers gained unauthorized access to its self-registration application for Palestine, exposing names, ID and phone numbers, and location data for roughly 600,000 households in Gaza in what may be the largest known breach of humanitarian beneficiary data.

Victim: World Food Programme (WFP)
Records: 600.0K