Mansoura University

A threat actor operating under the handle "BF! INT3X" has listed 11GB of data from Mansoura University, one of Egypt's largest and oldest academic institutions, for sale on dark web forums. The archive allegedly contains nearly one million student records spanning from 2006 to the current 2025/2026 academic year.

The attacker released portions of the data for free after the university and its affiliated domains did not respond to previous breach notifications. This isn't the first time Mansoura-affiliated institutions have appeared on dark web marketplaces—a pattern that suggests systemic security gaps across the university network.

Full names. Egyptian National IDs—the primary government identification number. Academic records covering two decades of enrollment. And critically: passwords stored in both plaintext and hashed formats. Additionally, 4.96GB of proprietary research documents were reportedly included.

Plaintext passwords in 2026. A database spanning 20 years of records with no apparent segmentation or deprecation. Academic systems that grow data but never clean it.

A generation of Egyptian students and alumni. People who enrolled in 2006 are now mid-career professionals. People who enrolled last year are just starting out. All of them now have their National IDs—equivalent to Social Security numbers—exposed alongside whatever passwords they used for university systems.

Password reuse is endemic. If any of these students used the same credentials elsewhere—email, banking, social media—those accounts are now compromised. National ID exposure enables identity fraud, impersonation, and social engineering attacks that could follow victims for life.

Universities focus on availability. Academic systems must work during enrollment periods, examination seasons, and graduation. Uptime is the priority. Security is what happens when there's budget left over.

The fact that passwords were stored in plaintext suggests security wasn't even a secondary consideration—it was an afterthought. Legacy systems get maintained for functionality, not hardened for protection.

They didn't know—or didn't address—that 20 years of student data lived in a single, unsegmented database accessible from the internet. The fact that the archive spans 2006 to 2026 indicates either a central legacy system that was never properly secured or persistent attacker access that went undetected for years.

Either scenario points to the same failure: no one mapped where sensitive student data accumulated, how it was protected, or whether ancient records should have been purged long ago.

Nearly one million notifications to people scattered across Egypt and potentially the world—graduates who've moved, changed contact information, or forgotten they ever had a Mansoura University account. Many won't hear about this breach until it's used against them.

The attackers publicly shamed the university for not responding to earlier breach disclosures. When institutions ignore warning signs, threat actors escalate. The data is now publicly listed because silence was the only response.