‼️🇺🇸 McKissock and Colibri Real Estate allegedly breached: 3,395,138 customer records exposed from the US professional licensing education provider with extortion threat

A threat actor claims to have identified an accessible dataset exposing sensitive customer data from McKissock, a US online professional licensing and continuing education provider for real estate, appraisal, and related industries.

The actor states the issue also impacts third-party platforms integrated through shared API infrastructure and partner integrations, with Colibri Real Estate and other affiliated partners using the same backend services confirmed to be affected. The actor warns that the database will be publicly posted via Telegram within 7 days if no agreement is reached.

▸ Actor: deathwatch
▸ Sector: Education / Professional Licensing / Real Estate Training
▸ Type: Data Breach with Extortion Threat
▸ Records: 3,395,138 customer records
▸ Country: United States
▸ Deadline: 7 days from post for an agreement
▸ Date: 13/05/2026

Compromised data:

▪️ Student ID, user name, first name, middle initial, last name, suffix, date of birth
▪️ Email address (primary and alternate)
▪️ Address 1, address 2, city, state
▪️ Daytime phone, evening phone, fax
▪️ NetSuite ID, student type
▪️ Account types including Student Account and Test Account
▪️ Sample entries reference users across Alabama, Pennsylvania, Washington, Virginia, New Mexico, New York, Louisiana, South Dakota, Illinois, Texas, and other US states
▪️ Migration ID, SSN, Driver's License number
▪️ Country, last 4 digits of payment card
▪️ Over 300 employee records containing PII (email, name, age, date of birth, address, relation)
▪️ Payment information for over 500,000+ students including transaction IDs, amount due, and last 4 of the card used
▪️ Thousands of student documents including AAU transcripts, high school transcripts, medical certificates, medical transcripts, real estate certificates, certificates from 2015 through 2021, contact tracker hours, financial records, and UnderSelfAssigned records
▪️ Third-party data shared via API integration with Colibri Real Estate and other affiliated partners

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇫🇷 École Française de Comptabilité allegedly breached: 41 GB and 60,683 student, teacher, and bank documents exposed from the French distance learning institution

A threat actor is selling 41 GB of data totalling 60,683 PDF files allegedly exfiltrated from the École Française de Comptabilité (EFC), a French private distance learning institution founded in 1945 and based in Lyon, specializing in accounting, payroll, human resources, law, and real estate training.

The dump reportedly contains student documents, teacher documents, bank documents, certificates, invoices, and other identity and financial paperwork. Sample images show payslips, RIB bank statements (Monabanq), employer attestations, and EFC-issued enrolment documents including French postal RIP forms tied to a Paris address.

▸ Actor: ChimeraZ
▸ Sector: Education / Distance Learning / Professional Training
▸ Type: Data Sale
▸ Format: PDF (60,683 files, 41 GB total)
▸ Records: 60,683 documents
▸ Country: France
▸ Date: 13/05/2026

Compromised data:

▪️ Student documents (enrolment forms, identity records, course records)
▪️ Teacher documents
▪️ Bank documents including RIB statements (Monabanq and others)
▪️ Certificates and attestations
▪️ Invoices
▪️ Employer salary attestations
▪️ EFC enrolment and contract documents
▪️ Postal RIP (Relevé d'Identité Postal) forms tied to La Poste accounts
▪️ IBAN and BIC identifiers visible in sample documents
▪️ Full names, postal addresses (including Paris), and dates of birth
▪️ Bank domiciliation details

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️ Some open links to scammers CMD Organization:

Screenshot 1: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/index.html

Screenshot 2: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/base.html

‼️🇸🇦 Thmanyah allegedly breached: 107,084 subscriber emails and a Bitmovin license key exposed from the leading Arabic podcast and media-tech platform

A threat actor is selling a database from Thmanyah, the Saudi media-tech company founded in 2016 in Riyadh and majority-owned by Saudi Research and Media Group (SRMG), which operates the largest Arabic podcast network in the Middle East and North Africa and holds the Guinness World Record for the most-viewed podcast episode on YouTube.

The actor states the breach exposed 107,084 subscriber emails along with a Bitmovin video-streaming LICENSE key embedded in the dump. The sample shows internal admin accounts on the thmanyah[.]com domain, user join dates from 2024, language and category preferences across Documentary, Science Fiction, True Crime, Food, and Relationships content, plus Apple Podcasts category mappings and translation metadata.

▸ Actor: lulzintel (GOD User)
▸ Sector: Media / Podcast Platform / Tech
▸ Type: Data Sale (paywalled, 6 forum points)
▸ Records: 107,084 subscriber emails + Bitmovin LICENSE key
▸ Country: Saudi Arabia
▸ Date: 14/05/2026

Compromised data:

▪️ Subscriber email addresses (107,084 records)
▪️ User ID
▪️ Account approval flag (is_approved)
▪️ Join date
▪️ Language preference (lang, e.g., "en", "ar")
▪️ Name
▪️ Question fields (q7, q4_2, q5, q6, q1, q2_2, q8, q3, q3_str)
▪️ Interests array (e.g., "google_podcast")
▪️ VUE_APP_BITMOVIN_LICENSE_KEY (included in the file)
▪️ Internal Thmanyah staff accounts visible in sample
▪️ Waitlist IDs and category mappings to Apple Podcasts taxonomy (Documentary, Science Fiction, True Crime, Food, Relationships)
▪️ Translation pairs (Arabic and English) for category names
▪️ Listen/yes flags, device type (e.g., android), age ranges (e.g., 20+, 4_8)

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

Simpler way to flood.

Screenshot 3: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/_bid_modal.html

Screenshot 4: http://cmdnkiqjije2tllr3biee2sjgj3i4robg2cbtilbnytdhh2wy3syrlyd[.]onion/templates/_contact_modal.html

‼️🇺🇸 CoreWeave allegedly breached: full infrastructure access claimed against the US GPU cloud provider that powers OpenAI workloads

A threat actor claims to have pulled full infrastructure access from CoreWeave, the US-based GPU cloud provider that went public in 2025 with revenue exceeding $500 million and is one of the primary compute providers for OpenAI workloads.

The actor describes the access as wide open with zero authentication required, stating they cannot determine whether the exposure represents gross negligence or a honeypot. The claimed access spans multiple internal notebook servers with root shells across regions, full cloud account credentials, the central monitoring stack, customer data storage, internal infrastructure topology, and long-term persistence mechanisms. The post is currently unverified.

▸ Actor: macaroni
▸ Sector: Cloud Computing / GPU Infrastructure / AI Compute
▸ Type: Infrastructure Access Claim (unverified)
▸ Records: Full infrastructure access claim, no record count specified
▸ Country: United States
▸ Date: 13/05/2026

Compromised data:

▪️ Multiple internal notebook servers with root shells across multiple regions
▪️ Cloud account credentials and data access roles, including permanent IAM keys with sts:AssumeRole and temporary keys from 4 accounts
▪️ Central monitoring dashboard with full Grafana admin access, every dashboard, Loki logs, Prometheus metrics, and live GPU telemetry
▪️ Customer data storage including S3 buckets, EBS snapshots, and workload logs reportedly containing personal and financial records
▪️ Internal infrastructure topology including Kubernetes API, Docker registry, Jenkins, ArgoCD, PostgreSQL, and Redis (no authentication), with a full network map
▪️ Long-term persistence including deployed SSH keys, backdoor user accounts, and identified IAM persistence paths

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇮🇹 KRIA S.r.l. allegedly breached: 2.03 GB of speed and red-light enforcement data exposed from the Italian traffic monitoring technology vendor

A threat actor is selling a 2.03 GB dump allegedly exfiltrated from KRIA S.r.l., the Italian traffic enforcement technology company based in Seregno that manufactures the T-EXSPEED speed measurement system and T-REDSPEED red-light violation detection system used by Italian municipalities and traffic police.

The dump covers data from 2021 through 2026 and includes the full T-EXSPEED and T-REDSPEED software suite, complete MySQL databases of recorded violations, raw photos and videos from installations across Italian municipalities including Vicenza, Gemonio (VA), and Besozzo, along with device configurations, server credentials, and technical documentation. Sample evidence shows red-light violation records from Via San Vitale 3, Seregno, including timestamped vehicle plate captures and frame-by-frame imagery from system ID 441.

▸ Actor: prtsc
▸ Sector: Government Technology / Traffic Enforcement / Public Safety
▸ Type: Data Sale
▸ Format: Mixed (software binaries, MySQL dumps, photos, videos, configs)
▸ Records: 2.03 GB covering 2021 through 2026
▸ Price: 1,500 USDT
▸ Country: Italy
▸ Date: 12/05/2026

Compromised data:

▪️ T-EXSPEED software (original installer plus backups and install files)
▪️ T-REDSPEED software (original installer plus backups and install files)
▪️ Complete MySQL database covering events, violations, plates, statistics, whitelist, blacklist, and reports
▪️ Real speed and red-light violation records logged by deployed cameras
▪️ Original photos and videos from Italian installations, including Vicenza, Gemonio (VA), and other municipalities
▪️ Camera configurations, calibration files, and project settings
▪️ Device list and server credentials
▪️ Hardware information and inventory
▪️ Technical documents and internal reports

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇮🇶 Iraqi Ministry of Interior allegedly breached: 2025-2026 census data exposed from the Iraqi government civil registry and vehicle registration systems

A threat actor is selling Iraq's 2025-2026 census data, sourced from the Iraqi Ministry of Interior's Directorate of General Nationality and Central Information Office. The sample images show official Iraqi civil status identity cards, vehicle registration licences (with MRZ data), and family registry record cards, alongside structured digital records covering civil identity, vehicle registration, and family lineage data tied to specific governorates including Erbil, Sulaymaniyah (Kifri district), and Khabat.

▸ Actor: OxO (VIP)
▸ Sector: Government / Civil Registry / Vehicle Registration
▸ Type: Data Sale
▸ Records: 2025-2026 Iraqi census records
▸ Country: Iraq
▸ Date: 14/05/2026

Compromised data:

Civil Identity (Official Civil Status Identity, Iraq):

▪️ Full name (Arabic and English)
▪️ Alias
▪️ ID type and ID number
▪️ Citizenship status (e.g., "Displaced Iraqi")
▪️ Mobile phone number
▪️ Workplace (e.g., Ministry of Education)
▪️ Gender
▪️ Marital status
▪️ Birth date
▪️ Province (e.g., Erbil)
▪️ District (e.g., Khabat)
▪️ Vaccination centre (e.g., BAHRKA CAMP)
▪️ Emergency contact number

Vehicle Registration (Ministry of Interior, Iraq Licence):

▪️ Name in English and Arabic
▪️ Licence number
▪️ Issue date and expiry date
▪️ VIN code
▪️ National ID reference
▪️ Additional ID
▪️ Gender

Family Registry:

▪️ Family number
▪️ Province (e.g., Sulaymaniyah)
▪️ Location (e.g., maternity hospital, Kifri district)
▪️ Sub-district (e.g., Kifri)
▪️ Full names of family members
▪️ Dates of birth for each member spanning multiple generations (samples from 1945 through 1988)
▪️ Governorate of registration

Physical document samples:

▪️ Republic of Iraq Vehicle Registration Licence cards
▪️ Ministry of Interior civil identity cards with MRZ
▪️ Family member information record cards from the Directorate of General Nationality

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations