‼️🇬🇹 Guatemalan Ministry of Finance allegedly breached: 130,000 RGAE registrations and 235,000 sensitive PDFs (324.5GB) exposed via IDOR and unauthenticated APIs

A threat actor claims to have compromised the Registro General de Adquisiciones del Estado (RGAE) system operated by the Guatemalan Ministry of Finance (Ministerio de Finanzas Públicas), the official state procurement registry.

The actor describes the breach as part of an ongoing "digital siege" against Guatemala, citing critical IDOR/BOLA vulnerabilities at /api/Solicitud/ObtenerSecciones and two open APIs without any security, including one connected to the Superintendencia de Administración Tributaria (SAT) at /api/sat/email.

The actor states that despite Cloudflare and a WAF being in place, the extraction was performed by simulating real traffic from ordinary web users to avoid alerting the system, allowing 130,000 registration records from 2020 to 2026 to be extracted, alongside 235,000 sensitive PDF documents totalling 324.5 GB.

A proof-of-concept 5,000-row CSV sample and a 200-PDF preview have been published.

▸ Actor: GordonFreeman (VIP), branded "LAT4MFUCK3RS"
▸ Sector: Government / Public Procurement / Finance
▸ Type: Data Breach (IDOR/BOLA, unauthenticated APIs)
▸ Records: 130,000 registrations + 235,000 PDFs (324.5 GB)
▸ Country: Guatemala
▸ Date: 14/05/2026

Compromised data:

Registration records (130,000 rows, 2020-2026):

▪️ ID
▪️ NIT (Guatemalan tax identification number)
▪️ CUI (Código Único de Identificación)
▪️ Nombre (full name)
▪️ Direccion (address)
▪️ Telefono (phone number)
▪️ Correo (email address)
▪️ Tipo_Org (organization type, Individual or Juridica)

PDF documents (235,000 files, 324.5 GB):

▪️ University degrees and diplomas
▪️ Ministry of Education teaching titles
▪️ SAT invoices (Facturas)
▪️ Negotiation minutes and articles of incorporation
▪️ Sports minutes (actas)
▪️ Simple agreements
▪️ Notarial acts (Protocolos with Diez Quetzales registry stamps)
▪️ Balance sheets
▪️ Bank certifications
▪️ Administrative contracts
▪️ Signed affidavits
▪️ Tax solvency certificates
▪️ Commercial patents
▪️ Scanned DPIs
▪️ Constitution of Sociedad Anónima documents

Vulnerability details:

▪️ IDOR/BOLA
▪️ Unauthenticated SAT API
▪️ Second unauthenticated API hosting all persons registered in RGAE
▪️ Cloudflare and WAF in place but bypassed via traffic simulation

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇫🇷 Collège de France allegedly breached: 1.6K records leaked from the historic French higher education and research institution

A threat actor claims to have leaked the database of collège-de-france.fr and scripta.college-de-france.fr, allegedly exposing internal staff and institutional records belonging to the prestigious French higher education and research institution. The actor states the archive contains JSON and PDF files related to the organization, including employee directory information and internal institutional data.

▸ Actor: ChimeraZ
▸ Sector: Education / Research
▸ Type: Data Leak
▸ Records: 1,600+ records
▸ Country: France
▸ Date: 14/05/2026

Compromised data:

▪️ Staff and institutional database records allegedly extracted from collège-de-france.fr and scripta.college-de-france.fr
▪️ Employee information including full names, corporate email addresses, office phone numbers, institute affiliations, and department assignments
▪️ Internal directory data containing building references, office locations, floor and room identifiers
▪️ Institute and research division references including physics, chemistry, and materials research departments
▪️ Profile photo references and internal file paths linked to staff directory systems
▪️ JSON and PDF archives allegedly containing institutional and employee-related records

The actor claims the leaked archive size is approximately 835 MB and distributed through multiple file-sharing platforms.

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations

‼️🇧🇷 Nuvidio allegedly breached: 40K files including KYC records, biometrics, private keys, customer video calls, and cloud infrastructure data exposed

A threat actor claims to have breached Nuvidio, a Brazilian identity verification and biometric onboarding provider used by financial institutions and fintech companies for KYC, video verification, and fraud prevention services.

The actor alleges the dataset contains approximately 40,000 files totaling 6.3 GB, including identity documents, customer biometric recordings, production credentials, private keys, AWS infrastructure data, and internal monitoring systems.

▸ Actor: xpI0itrs
▸ Sector: Identity Verification / Fintech / Biometrics
▸ Type: Data Breach
▸ Records: 40,000+ files
▸ Country: Brazil
▸ Date: 14/05/2026

Compromised data:

▪️ Production credentials for major services including MongoDB, PostgreSQL, AWS IAM, Twilio, Redis, RabbitMQ, OpenSearch, and Microsoft Cognitive Services
▪️ 192 Brazilian citizen identity document records including RG and CNH scans with CPF-linked filenames, photographs, fingerprints, addresses, and birth dates
▪️ Approximately 3.1 GB of customer video call recordings involving KYC verification and financial onboarding sessions
▪️ Voice biometric and speaker diarization audio files allegedly linked to customer verification systems
▪️ SSL and mTLS private keys with references to Banco Pan internal API authentication infrastructure
▪️ Complete AWS infrastructure mapping data including Terraform state files, CloudFormation templates, CloudTrail logs, VPC flow logs, ECS cluster schedules, Lambda configurations, and environment variables
▪️ Grafana backups containing employee account information and encrypted CloudWatch credentials
▪️ User-uploaded customer chat files and identity verification attachments allegedly shared during onboarding sessions
▪️ Web application source code, frontend builds, and source maps allegedly usable for reverse engineering and exploitation

Affected organizations and referenced clients allegedly include Banco Pan, BMG Money, Bradesco, Banco Mercantil, Ailos, iCred, Pipe, Claro, C6 Bank, Caixa, Agibank, Equatorial, and others.

The actor is offering the dataset for sale at $12,000 and claims the exposed material spans records dated between 2021 and May 2025.

Stop guessing what's redacted. Subscribers see everything → darkwebinformer.com/pricing
________________________________________

Main Channel: https://t.me/SliceForLifeee
Backup Channel: https://t.me/SliceForLifeeee
Website: darkwebinformer.com
Pricing (Includes Crypto): darkwebinformer.com/pricing
API Access: darkwebinformer.com/api-details
Socials: darkwebinformer.com/socials
Donations: darkwebinformer.com/donations