Alleged Breach of Daryn Online Exposes 4 Million User Records From Kazakhstan's Largest Education Platform
A threat actor known as Shinchan claims to have breached Daryn Online, Kazakhstan's largest education platform, exposing approximately 4 million user records totaling over 1GB of data. The compromised dataset includes personal information, contact details, passwords, and authentication tokens (remember tokens, email hash tokens, mobile tokens) that could enable direct account takeover even if passwords are changed. The breach is particularly concerning given that many affected users are students and minors, and the actor is actively selling the full database via dark web channels.
Summary
A threat actor known as Shinchan claims to have breached Daryn Online, Kazakhstan's largest education platform, exposing approximately 4 million user records totaling over 1GB of data. The compromised dataset includes personal information, contact details, passwords, and authentication tokens (remember tokens, email hash tokens, mobile tokens) that could enable direct account takeover even if passwords are changed. The breach is particularly concerning given that many affected users are students and minors, and the actor is actively selling the full database via dark web channels.
Full text
Dark Web Informer - Cyber Threat Intelligence Alleged Breach of Daryn Online Exposes 4 Million User Records From Kazakhstan's Largest Education Platform March 18, 2026 - 6:21:24 AM UTC Kazakhstan Education Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-18 06:21:24 UTC Threat Actor Shinchan Victim Daryn Online (daryn.online) Industry Education Category Data Breach Alleged Records ~4 Million Users Data Size 1 GB+ Price Contact Seller Network Open Web Country Kazakhstan Incident Overview A threat actor going by Shinchan claims to be selling a full user database from Daryn Online, one of Kazakhstan's largest online education platforms. Launched in 2019 and backed by Bugin Holding, the platform offers 28 different educational services including school curriculum support, national exam preparation (ENT/UBT), robotics courses, and art programs, reportedly serving over 3.5 million active users across the region. The actor is selling the complete dataset only, with no partial sales available. The listing specifies the following data fields are included: Personal Information: First names, last names, and birthdates for each user account. Contact Data: Phone numbers and email addresses. Credentials: Passwords, remember tokens, email hash tokens, and mobile tokens, which could allow direct account takeover if the tokens are still valid. Profile Data: Avatar URLs and associated profile details. Scale: Approximately 4 million user records totaling over 1GB of data. The inclusion of authentication tokens alongside passwords makes this particularly dangerous. Even if passwords have been changed, valid remember tokens or mobile tokens could still grant access to user accounts without needing the updated credentials. Given the platform's user base consists largely of students, many of the affected individuals are likely minors. The actor provided data proof screenshots and sample records to demonstrate authenticity, and is directing buyers to contact them via Telegram or Session for pricing. Compromised Data Categories Full Names Phone Numbers Email Addresses Passwords Authentication Tokens Email Hash Tokens Mobile Tokens Birthdates Avatar / Profile Data Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application Targets vulnerabilities in internet-facing web applications to gain unauthorized access to backend databases containing user records. T1555 Credentials from Password Stores Extracts stored passwords and authentication credentials from the platform's database, enabling direct account takeover for millions of users. T1528 Steal Application Access Token Harvests remember tokens, email hash tokens, and mobile tokens that can be used to bypass authentication and access accounts without passwords. T1213 Data from Information Repositories Extracts structured user data from application databases, pulling personal information, credentials, and profile details from the platform's backend. T1589.002 Gather Victim Identity: Email Addresses Collects email addresses and phone numbers from the breached database for resale, enabling phishing, credential stuffing, and social engineering attacks. T1567 Exfiltration Over Web Service Uses web forums, Telegram, and Session messaging to advertise, distribute samples, and sell the stolen database to interested buyers. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com
Indicators of Compromise
- domain — daryn.online
- malware — Shinchan