Mexico's massive government hack: what you need to know

On January 30, 2026, a hacktivista group called Chronus published something alarming: 2.3 terabytes of data stolen from 25+ Mexican government institutions. This isn't just another data breach. It's one of the largest government hacks in Latin American history, and it affects 36 million people—roughly 28% of Mexico's entire population.

If you have any connection to Mexico (you live there, you're an expat, you file taxes there, you have family there), this matters to you. Here's what happened and what you should do about it.

What got hacked

The Chronus Group didn't just target one agency. They hit the big ones. According to El Universal, the stolen data came from SAT (Mexico's tax authority), IMSS-Bienestar (social protection services), the Education Ministry (SEP), the Health Ministry, and dozens of state and municipal governments.

They even grabbed the Morena political party's membership database.

What was stolen

This is where it gets serious. The hackers got:

• Your national ID number (CURP)—think of it like Mexico's version of a Social Security number, but even more critical
• Your tax ID (RFC)
• Your home address
• Medical records and clinical data
• Voter IDs and voting information
• Fiscal information and financial records
• QR codes tied to your identity

TV Azteca reported that 30.7 million tax records from SAT were exposed. IMSS-Bienestar lost 1.8 terabytes of social protection data. And the Instituto Nacional de Perinatología had 494,000 clinical records leaked.

If your CURP and RFC are out there, scammers can impersonate you, open fake accounts, file fraudulent tax returns, or apply for loans in your name. It's identity theft on an institutional scale.

How did this even happen?

This is the infuriating part. According to cybersecurity expert Víctor Ruiz from SILIKN, the government's systems were using old, never-deactivated credentials that were over 20 years old. No two-factor authentication. No mandatory password rotation. No network segmentation to stop hackers from moving freely between systems.

Basically, it's like leaving your front door unlocked for two decades and being shocked when someone finally walked in.

The government's response (and why experts disagree)

The ATDT (Mexican cybersecurity authority) initially claimed that no "sensitive data" was actually published. But experts like Víctor Ruiz immediately called them out. When your national ID numbers and medical records are floating around on the dark web, that's pretty much the definition of sensitive data.

Scams are coming

Here's what to expect in the weeks and months ahead: phishing emails pretending to be from government agencies asking you to "verify your account." Text messages claiming you've won a prize and need to provide personal information. Calls from "tax authorities" demanding payment. Scammers will use the real information they have about you to make their pitches more convincing.

The first rule: the government never asks for your CURP, RFC, or bank details via email, phone, or text. Never. If you get a message like that, it's a scam.

What you should do right now

Check your accounts. Log into your bank, email, and any other accounts connected to your identity. Look for suspicious activity. Change your passwords and enable two-factor authentication everywhere it's available.

Watch for fake messages. Be extra skeptical of unsolicited texts and emails. Don't click links in messages you weren't expecting. When in doubt, contact the organization directly using a number you know is real.

Consider a credit freeze. If you're really concerned about identity theft, contact your bank about freezing your credit.

Stay informed. Read our master article about Mexican data breaches for ongoing updates and resources. And if you want to understand why traditional security measures fail, check out our guide on why blocking scam numbers doesn't actually work.

The Chronus hack is a wake-up call. But you're not helpless. Stay alert, trust your gut, and don't engage with unsolicited messages asking for your personal information.