Incident Overview

A threat actor going by Shinchan claims to be selling a full user database from Daryn Online, one of Kazakhstan's largest online education platforms. Launched in 2019 and backed by Bugin Holding, the platform offers 28 different educational services including school curriculum support, national exam preparation (ENT/UBT), robotics courses, and art programs, reportedly serving over 3.5 million active users across the region.

The actor is selling the complete dataset only, with no partial sales available. The listing specifies the following data fields are included:

• Personal Information: First names, last names, and birthdates for each user account.
• Contact Data: Phone numbers and email addresses.
• Credentials: Passwords, remember tokens, email hash tokens, and mobile tokens, which could allow direct account takeover if the tokens are still valid.
• Profile Data: Avatar URLs and associated profile details.
• Scale: Approximately 4 million user records totaling over 1GB of data.

The inclusion of authentication tokens alongside passwords makes this particularly dangerous. Even if passwords have been changed, valid remember tokens or mobile tokens could still grant access to user accounts without needing the updated credentials. Given the platform's user base consists largely of students, many of the affected individuals are likely minors. The actor provided data proof screenshots and sample records to demonstrate authenticity, and is directing buyers to contact them via Telegram or Session for pricing.