Incident Overview

A threat actor going by 0BITS has uploaded a partial database leak from Rouzbeh Educational Complex, an Iranian education institution. The actor states the original breach dates back to June 2023 and exposed records belonging to both employees and students, totaling 202,383 records. The data has been published as a free download for registered forum members.

The actor explicitly labeled this as a partial leak, providing both a partial file (130MB uncompressed, 69MB compressed) and referencing a full leak of 1GB compressed. The compromised data fields are extensive and include:

• Personal Identifiers: Full names, email addresses, mobile numbers, home numbers, and family member details.
• Government IDs: Social security numbers and national ID numbers, which are high-value identity theft targets in any country.
• Credentials: Usernames and passwords.
• Identity Documents: ID photos tied to individual records.
• Financial Data: Invoices and transaction IDs.
• Institutional Data: Birth dates, attendance records, location data, and status information.

The combination of social security numbers, national IDs, passwords, and ID photos in a single dataset makes this particularly dangerous for identity fraud. Given this is an educational institution, a significant portion of the affected individuals are likely students, potentially including minors. The data is distributed in CSV format, making it easily parsed and exploitable.