Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing tens of millions of French citizen records aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including IBANs/BICs), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of phishing, fraud, and identity theft.
Separately, Australia’s Victorian Department of Education notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and encrypted passwords, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed PayPal breach, assessing a ~100,000-record credential “combolist” as likely outdated infostealer-log data rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Open server exposes aggregated database on French citizens
Cybernews researchers found an open cloud server hosting a massive database with tens of millions of French citizen records, apparently aggregated from at least five separate breaches. The archive included voter, healthcare, financial, CRM, and vehicle-related data, increasing risks of phishing, fraud, and identity theft.
Victoria resets student passwords after breach
As a precaution following the student data breach, the Victorian Department of Education reset all student passwords and temporarily blocked account access until new credentials could be issued. Investigators said they had not found evidence that the accessed data had been publicly released or shared.
Victorian education department discloses student data breach
Victoria's Department of Education notified parents that an unauthorized third party accessed a database containing current and former students' personal information, including names, school details, school-issued email addresses, and encrypted passwords. The department said more sensitive data such as birth dates, home addresses, and phone numbers were not exposed.
Cybernews questions claimed new PayPal credential breach
Cybernews assessed a newly circulated combolist of more than 100,000 alleged PayPal credentials as likely outdated data from infostealer logs rather than evidence of a fresh PayPal compromise. Researchers cited the relatively small record count and noted that many PayPal accounts are protected by multi-factor authentication, making account takeover harder.
PayPal says 2022 credential stuffing exposed 35,000 accounts
PayPal previously attributed reports of stolen credentials to a 2022 credential stuffing incident that exposed about 35,000 accounts, rather than to a direct breach of its systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Tens of millions of French citizen records exposed | SC Media
scworld.com
Open sourceVictorian Department of Education says hackers stole students’ data - DataBreaches.Net
databreaches.net
Open sourceVeracity of newly claimed PayPal breach questioned | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
Mar 21, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
Data exposures tied to third-party access and credential misuse in Ukraine and France
Ukraine’s National Bank (NBU) took its **collectible coin/numismatic online store** offline after a cyberattack against a supporting **contractor** potentially exposed customer registration data (names, phone numbers, emails, and delivery addresses). The NBU said **core banking systems were not affected** and **no payment card or banking data** was compromised, but warned the exposed PII could be leveraged for **phishing** and other follow-on fraud; the incident was described as consistent with a **supply-chain** intrusion path. In France, authorities disclosed illegal access to a portion of the **National Bank Accounts File (FICOBA)**—a government database used for tax, customs, and law-enforcement purposes—after an attacker **impersonated a civil servant** and used valid credentials to query data. Officials said up to **1.2 million accounts** may have been impacted, with exposed fields potentially including account numbers, names, addresses, and in some cases tax identifiers; **DGFiP**, supported by **ANSSI**, is investigating and notifying affected individuals while banks were alerted to heighten fraud/phishing monitoring. Separately, **Safran Group** denied being cyberattacked, stating that a leaked dataset containing “non-strategic” order/customer details was **inadvertently exposed via a third-party provider**, with external analysis suggesting the compromise occurred elsewhere in the supply chain rather than within Safran’s own systems.
Mar 21, 2026