
June 23, 2026
An 8 GB SQL database archive has been leaked online, exposing sensitive student records, institutional identifiers, and emails. The incident highlights critical security gaps in public-facing educational platforms and the immediate danger of secondary credential abuse attacks across enterprise environments.


Scanning campus and forum subdomains
Exploiting Moodle flaws or testing Office 365 credentials
Mapping schema tables & extraction
Packaging database into RAR file
Exfiltrating 8 GB of data to external server
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
The Fédération Hospitalière de France has suffered an alleged database breach exposing 30,728 records, including names, emails, direct phone lines, and membership statuses. This leak exposes healthcare leadership to direct spear-phishing and vishing risks, requiring swift credentials resets and security audits.

June 21, 2026
A database leak involving 25 GB of customer data from Egypt-based consumer electronics giant Elaraby Group has surfaced online. Security teams must prioritize credential validation and session audits to defend against identity-driven access threats in the region.

June 24, 2026
The emerging PEAR Team has leaked 1.8 TB of highly sensitive corporate and client records from Canada-based Exchange Group. Our detailed technical analysis exposes their data-only extortion tactics, RMM persistence methods, and actionable security telemetry to protect enterprise environments.
This original source is hosted on the Tor network. Use Tor Browser to open it, and treat the forum as untrusted while reviewing the post.
Onion URL
http://pwnfrm7rbf6kyerigxi677lcz5ifmoagdbqqknwdu2by27wfdst5qmqd.onion/Thread-DATABASE-%E2%AD%90-Fresh-Database-Virtual-University-of-C%C3%B4te-d-Ivoire-UVCI-Free
An 8 GB compressed RAR archive containing approximately 163,569 indexed rows of sensitive database records has been exfiltrated and leaked on an underground forum, representing a severe exposure of institutional data. The dump, distributed under the filename uvci.edu.ci.rar, exposes a structured relational database containing student account credentials, institutional identifiers, email addresses, and phone numbers. Security researchers identify the affected platform as the Virtual University of Cote d'Ivoire (UVCI), with the primary target assets pointing directly to the institution's public-facing Learning Management System (LMS) and forum systems. This breach underscores a growing threat landscape where public sector and academic entities are targeted for their rich stores of user credentials and personal identifiers. The leaking of such a database on dark web underground forums provides immediate material for malicious actors seeking to execute credential stuffing, targeted phishing campaigns, and secondary business email compromise (BEC) attacks. For enterprise defenders, analyzing the mechanics of this breach provides critical insight into the importance of securing external-facing applications and proactively auditing domain exposures.
Analyzing adversary behavior through standardized frameworks allows enterprise defenders to map defensive controls directly to known threat techniques. The tactics and techniques identified in this compromise include:
Initial Access (T1190): Exploit Public-Facing Application: Exploiting vulnerabilities in the Moodle platform or the academic web forums to bypass standard authorization checks.
Initial Access (T1078): Valid Accounts: Utilizing compromised administrative or developer credentials acquired from dark web markets or info-stealer logs.
Credential Access (T1110): Brute Force: Targeting student and faculty portal authentication mechanisms to identify weak or default password schemes.
Collection (T1213): Data from Information Repositories: Accessing internal database structures containing user directories, email tables, and personal identifier registries.
Exfiltration (T1567): Exfiltration Over Web Service: Compressing the relational SQL dump into a single RAR archive and transmitting it to external hosting environments.
To understand the operational impact of this incident, security teams must examine the target infrastructure and the potential pathways utilized by the threat actor. The Virtual University of Cote d'Ivoire operates a central Learning Management System powered by Moodle, mapped to the subdomain campus.uvci.edu.ci. Additionally, the university maintains online registration and discussion forums hosted at profere.uvci.edu.ci. These subdomains host complex database backends that process authentication requests and store sensitive student schemas. Security analysis suggests that the threat actor likely leveraged one of two primary intrusion vectors to extract the database. The first vector involves the exploitation of unpatched vulnerabilities within the public-facing LMS or discussion forum software. Learning management systems and open-source forums often suffer from input validation flaws, including SQL Injection (SQLi) and broken access control mechanisms. In a classic SQLi scenario, an attacker injects malicious SQL statements into web input forms, tricking the backend database into executing commands that reveal table structures and exfiltrate data. The second likely vector involves initial access via credential abuse or the exploitation of compromised Office 365 accounts. Databases containing valid active credentials for UVCI users have historically been observed circulating on illicit dark web shops. If an administrative or developer account was compromised via info-stealer malware or credential stuffing, the attacker could easily log into administrative consoles, bypass standard perimeter defenses, and export relational tables directly using native database tools.
A typical execution chain for an exfiltration attack of this scale involves a structured methodology. While the specific tools used by the threat actor have not been detailed in public reports, the sequence generally follows these technical phases:
Reconnaissance: The threat actor scans the target domain, mapping out critical subdomains such as the virtual campus, the virtual library, and the registration portals to identify active entry points.
Vulnerability Probing: Automated scanners identify unpatched code paths, missing access validation controls, or active SQL Injection entry points in the web applications.
Database Enumeration: Once an entry point is validated, the attacker uses specialized database exploitation tools to map database schemas, identify administrative tables, and dump credential hashes.
Exfiltration: The extracted SQL databases are compiled and compressed into a single RAR archive (uvci.edu.ci.rar) to minimize file size and bypass network rate-limiting rules during egress.
Monetization and Leakage: The compressed archive is uploaded to underground forums or shared via secure communication channels, making the data accessible to secondary cybercriminals.
While this incident primarily impacts an educational institution in Cote d'Ivoire, the broader implications for international enterprises are profound. Educational databases are highly sought after by threat actors because they contain valuable personal records that feed the broader cybercrime economy. For example, student credentials are often reused across multiple corporate, financial, and personal applications, exposing organizations to credential stuffing risks. Furthermore, academic email accounts are highly prized targets for social engineering. Threat actors use compromised email addresses to build lists of trusted senders. Since many corporate email security gateways trust educational domains, phishing campaigns launched from these compromised accounts have a much higher rate of deliverability. This enables attackers to send convincing invoices, payroll change requests, or malware links directly to corporate targets. To mitigate these cascading risks, security teams must proactively identify and secure all digital assets. Implementing comprehensive Attack Surface Management helps enterprises discover unknown, public-facing applications and unpatched vulnerabilities that could otherwise serve as initial access points for threat actors. If you suspect that your domain or corporate credentials may have been exposed in recent leaks, a proactive diagnostic assessment is critical. Use FemtoSec's Dark Web Scanner to check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
Detecting and validating database compromise attempts requires a combination of log auditing, network monitoring, and behavioral analysis. Security operations centers (SOCs) should implement specific detection logic to catch database probing and exfiltration activities before data is fully exfiltrated. First, web server logs for public applications must be audited for suspicious patterns. Security teams should look for frequent SQL query syntax in URL parameters, unauthorized POST requests to sensitive endpoints, or high-frequency requests originating from known TOR exit nodes or VPNs. Automated scanning attempts often generate distinct user-agent signatures that can be flagged by web application firewalls (WAF). Second, database access logs must be actively monitored for anomalous administrative queries. Actions such as downloading entire user tables, copying massive datasets, or launching native database backup commands should trigger high-priority alerts. If these activities occur outside of scheduled maintenance windows or originate from non-standard IP addresses, they must be treated as active exfiltration attempts. Third, network teams must monitor for unusual outbound data spikes. An 8 GB compressed RAR archive represents a significant volume of data. Setting network thresholds that alert on gigabyte-scale outbound connections to unrecognized external IP addresses can allow teams to interrupt exfiltration in real time.
To protect complex environments from database exfiltration, organizations must adopt a defense-in-depth posture. Rather than relying solely on perimeter defenses, security teams should focus on isolating databases, validating inputs, and enforcing the principle of least privilege across all user tiers. Regular security validation is highly recommended to identify code flaws before they are exploited. Performing targeted Vulnerability Assessments ensures that all web application instances, content management systems, and backend servers are running updated, patched software. Additionally, implementing continuous security reviews can help expose logical gaps in application access control. For ongoing credential risk, organizations should utilize advanced security solutions. Integrating Dark Web Monitoring allows enterprise teams to receive real-time alerts whenever corporate credentials, domain names, or critical internal databases are identified on illicit forums. By immediately rotating compromised credentials, security teams can neutralize threat actor access before lateral movement occurs. Finally, enforcing strict database isolation is essential. Databases hosting sensitive user records should never be directly accessible from the public internet. Web application servers should communicate with database instances through isolated network zones, using least-privilege credentials that only allow necessary database transactions rather than full schema administrative rights.