Breaches affecting 4 Vietnamese educational institutions:
This week’s Cyber Intelligence House, Leak of the Week highlights breaches affecting 4 Vietnamese educational institutions:
– hcmct.edu.vn – Ho Chi Minh City College of Transport (HCMC)
– huflit.edu.vn – Ho Chi Minh City University of Foreign Languages – Information Technology (HUFLIT)
– mku.edu.vn – Cuu Long University (MKU), Vĩnh Long Province
– uah.edu.vn – University of Architecture Ho Chi Minh City (UAH)
Between August 4 and 6, 2025, datasets were posted on BreachForums by user “Ls1jWohGKtwY0iZ2yU”, containing only .txt files
– hcmct.edu.vn – leaked on 04/08/2025 at 07:23, 2 files (21.6 MB)
– huflit.edu.vn – leaked on 05/08/2025 at 10:35, 4 files (315.2 MB)
– mku.edu.vn – leaked on 04/08/2025 at 07:45, 2 files (68.9 MB)
– uah.edu.vn – leaked on 06/08/2025 at 05:10, 4 files (60.2 MB)
Each leak included text exports labelled for students, professors, and admissions records.
Interesting excerpts from the leaked data:
– HCMCT — rows exposing IDCard (national ID), full address, DOB, email/phone, and a PW field alongside ProfessorID records.
– HUFLIT — cmnd, Email, SDT. DiaChiLienLac; with row:
077302004811;anhthup503@gmail.com;0383761503;NV1= Quan hệ quốc tế.
– HUFLIT — StudentID, PW. Email; with rows where PW is a hash (e.g.,
001100; 3108a097a3a2de41a893c6613c106a76;0011001@st.huflit.edu.vn).
– MKU — multiple entries where StudentID equals PW (e.g., 0112046123; 0112046123@mku.edu.vn).
– UAH — faculty records including phone and email (e.g., dao.nguyenhong@uah.edu.vn; 0983.171.159; with department/role).
Supply Chain Risk:
File names and structures are highly similar across all breaches, with shared exports (e.g., vw-online-students.txt, vw-online-professors.txt) and identical field layouts. This suggests a common software platform or centrally hosted student system, potentially explaining the near-simultaneous exposures and pointing to systemic weaknesses.
Implications
For Individuals:
1. Identity theft – Exposed national ID numbers, birth dates, addresses, and contacts could be used to impersonate students or staff.
2. Account takeover risk – Weak/reused passwords, including studentID as password.
3. Targeted scams – Could send fake offers using leaked program/course data.
For the targeted victims:
1. Regulatory exposure under Vietnam PDPA-style privacy rules.
2. Operational disruption from portal resets, incident response, and data validation.
3. Brand/reputation damage among students, parents, and partners.
Cyber Intelligence House’s Recommendations
• Reset affected accounts – reset passwords, block weak ones, and require MFA.
• End active sessions/tokens and remove old accounts.
• Secure portals – block automated attacks, limit login attempts, patch vulnerabilities, and remove exposed folders/files.
• Notify affected parties – warn on phishing and fake messages.
• Monitor for misuse – set alerts for domain abuse, block malicious links, scan dark web for resales
