-
A threat actor is advertising a massive dataset allegedly pulled from over 20 Iranian travel agencies, with the record count exceeding 107 million entries.
-
The stolen data reportedly includes full customer identities, passport numbers, national IDs, flight reservations, train tickets, and detailed travel itineraries.
-
Security analysts warn that travel databases carry unique risks because they combine personal identity records with movement history, making them valuable for fraud, profiling, and intelligence collection.
A threat actor has surfaced on an underground forum advertising what they claim is a sweeping dataset pulled from more than 20 Iranian travel agencies and tourism service providers.
The total record count allegedly exceeds 107 million entries, a scale that would make this one of the largest travel-sector exposures ever observed in the region.
The actor has named specific companies and attached record counts to each. Haftorang leads the list with 47.7 million records, followed by Tikban with 23.6 million, Rahbal Aseman with 4.1 million, Karmania with 3.9 million, SnappTrip with 3.6 million, Avan Gasht with 2.9 million, and Behparvaz with 2.4 million. Several additional agencies contribute millions of records collectively to the total figure.
What the Dataset Contains
The actor claims each record carries a comprehensive profile of the affected individual. The data fields reportedly include full customer names, national ID numbers, passport numbers, dates and places of birth, email addresses, and phone numbers.
Account creation records also appear in the dataset alongside detailed travel information, covering flight reservations, train ticket bookings, departure and arrival details, seat assignments, airline information, and complete travel itineraries and booking histories.
This combination of identity and movement data makes the dataset significantly more sensitive than a typical consumer database leak. According to analysts who monitor underground forums, travel records are particularly dangerous because they do not just reveal who someone is.
They reveal where that person has been, who they traveled with, how frequently they move, and what their behavioral patterns look like over time. That level of detail attracts a much broader range of malicious actors than standard credential dumps.
Risks Running Deeper Than Identity Theft
The potential consequences of this exposure extend well beyond conventional fraud. At the most immediate level, the presence of full names, national IDs, passport numbers, and contact details creates a ready-made toolkit for identity theft and document fraud.
Threat actors could use this data to craft highly targeted phishing messages impersonating airlines, booking platforms, or government travel authorities, all highly believable contacts for anyone who has recently booked a trip.
Passport-related abuse represents a separate and serious concern. Fraudsters have historically used leaked passport data to facilitate illegal border crossings, create forged travel documents, or support financial crimes that require identity verification.
The inclusion of travel itineraries and booking histories adds another layer of risk, enabling criminals to predict future travel, identify high-value targets, and build detailed profiles on individuals of interest.
Passport data is a prime target for cybercriminals. Hackers recently leaked 300,000 Eurail user records, with passport data now being sold online — highlighting the global scale of travel data breaches.
Why this Leak Goes Beyond a Typical Data Breach
The intelligence dimension of this leak sets it apart from most underground forum disclosures. According to analysts, detailed records of traveler movements and associations carry real value for state-level actors and organized criminal groups alike.
A dataset that maps out the travel patterns of hundreds of thousands of individuals over time provides visibility that goes far beyond what most data breaches offer. Criminals can use it to profile high-value individuals, track business activities, and map out personal relationships built across borders.
The authenticity of the dataset has not been independently confirmed. As with many forum-posted claims of this nature, the data may be exaggerated, partially fabricated, or compiled from older sources.
Even so, the sheer scope of what the actor is advertising, and the sensitivity of the data categories involved makes this a disclosure that affected agencies and relevant authorities cannot afford to ignore.
