Alleged Data Leak of Rouzbeh Educational Complex Exposes 202,383 Records Including Student and Employee Social Security Numbers, Passwords, and National IDs

Summary

A threat actor identified as 0BITS has publicly released a partial database breach from Rouzbeh Educational Complex, an Iranian educational institution, containing 202,383 records dating back to June 2023. The leaked data includes highly sensitive information such as social security numbers, national ID numbers, passwords, ID photos, email addresses, mobile numbers, and family member details in CSV format. The full 1GB compressed dataset has been released for free to forum members, creating significant identity theft and fraud risks, particularly for student victims who may include minors.

Full text

Dark Web Informer - Cyber Threat Intelligence Alleged Data Leak of Rouzbeh Educational Complex Exposes 202,383 Records Including Student and Employee Social Security Numbers, Passwords, and National IDs March 26, 2026 - 1:17:51 PM UTC Iran Education Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more. View API Unlock Exclusive Cyber Threat Intelligence Powered by DarkWebInformer.com Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously. Subscribe Now Quick Facts Date & Time 2026-03-26 13:17:51 UTC Threat Actor 0BITS Victim Rouzbeh Educational Complex Industry Education Category Data Leak Total Records 202,383 Data Date June 2023 Full Leak Size 1 GB (Compressed) Partial File 130 MB (69 MB Compressed) File Format CSV Price Free (Public Leak) Country Iran Incident Overview A threat actor going by 0BITS has uploaded a partial database leak from Rouzbeh Educational Complex, an Iranian education institution. The actor states the original breach dates back to June 2023 and exposed records belonging to both employees and students, totaling 202,383 records. The data has been published as a free download for registered forum members. The actor explicitly labeled this as a partial leak, providing both a partial file (130MB uncompressed, 69MB compressed) and referencing a full leak of 1GB compressed. The compromised data fields are extensive and include: Personal Identifiers: Full names, email addresses, mobile numbers, home numbers, and family member details. Government IDs: Social security numbers and national ID numbers, which are high-value identity theft targets in any country. Credentials: Usernames and passwords. Identity Documents: ID photos tied to individual records. Financial Data: Invoices and transaction IDs. Institutional Data: Birth dates, attendance records, location data, and status information. The combination of social security numbers, national IDs, passwords, and ID photos in a single dataset makes this particularly dangerous for identity fraud. Given this is an educational institution, a significant portion of the affected individuals are likely students, potentially including minors. The data is distributed in CSV format, making it easily parsed and exploitable. Compromised Data Categories Full Names Email Addresses Mobile Numbers Home Numbers Social Security Numbers National ID Numbers ID Photos Usernames & Passwords Family Member Details Invoices & Transaction IDs Birth Dates Attendance Records Location & Status Data Image Preview Claim URL Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers. Subscribe Subscriber Access View the original listing URL and unredacted claim images on the feeds below. Threat Feed Ransomware Feed MITRE ATT&CK Mapping T1190 Exploit Public-Facing Application Targets vulnerabilities in the educational institution's web applications to gain unauthorized access to backend databases containing student and employee records. T1213 Data from Information Repositories Extracts structured records from the institution's database systems, pulling personal data, government IDs, credentials, financial records, and attendance data for over 202,000 individuals. T1555 Credentials from Password Stores Extracts usernames and passwords from the database, enabling direct account takeover and credential stuffing attacks against affected users across other platforms. T1589.001 Gather Victim Identity: Credentials Harvests social security numbers, national IDs, and ID photos that can be used for identity fraud, document forgery, and targeted impersonation attacks. T1567 Exfiltration Over Web Service Publishes the stolen database as a free download on web forums in CSV format, with the full leak gated behind forum registration and a partial file publicly accessible. T1560 Archive Collected Data Packages the stolen data into compressed archives (1GB full leak, 69MB partial) in CSV format for efficient distribution and download. Dark Web Informer © 2026 | Cyber Threat IntelligenceDarkWebInformer.com

Indicators of Compromise

• malware — 0BITS
• mitre_attack — T1190
• mitre_attack — T1213
• mitre_attack — T1555
• mitre_attack — T1589.001
• mitre_attack — T1567
• mitre_attack — T1560