-
An Iranian online medical platform has reportedly suffered a data breach, affecting more than 700,000 citizens.
-
A threat actor, known as “xploitleaks” accepts responsibility, noting that access to the exfiltrated data is for sale via their Telegram channel.
-
The compromised dataset comprises citizens’ sensitive information such as full names, surnames, father names, national identification numbers, phone numbers, and others.
A hacker using the moniker “xploitleaks” has stated he has successfully hacked an Iranian electronic health platform. In a post made on Telegram, “xploitleaks” revealed that he would be selling a large database of Iranian citizens containing their sensitive personal information, as well as medical details of more than 700,000 Iranian citizens.
The actor is offering the dataset for sale exclusively through a private Telegram channel, where he posted sample records to substantiate the claim.
Nature of the Compromised Data
The supposed database has really sensitive info that people could use for identity theft, phishing scams, and ripping people off. This method of monetizing highly sensitive patient records on covert channels mirrors a recent incident where data from a Doctor Alliance breach was sold on the dark web. The data fields advertised consist of:
- Full names and surnames
- Iranian national identification numbers
- Father’s names (commonly used as a security question in Iran)
- Personal phone numbers
- Account usernames
The threat actor claims to be selling full access credentials for every single user who has an account on this medical platform. If true, it means that an unauthorized person could have access to view a user’s medical history, appointment information, prescription information, and possibly communicate with their healthcare providers under an assumed identity.
Threat Actor’s Profile and Possible Motivation
The profile of this threat actor leads to speculation as to what may be his motive. “xploitleaks” has been careful to maintain some level of operational security by directing all inquiries to a Telegram support channel instead of using a public forum.
Criminal organizations increasingly adopt this type of operational security, moving away from traditional dark web markets and toward encrypted chat applications to reduce visibility and avoid takedowns.
It appears that the primary motivation for the threat actor is to monetize the information collected and stored in this database. Targeting a national medical platform for an entire nation, such as Iran, may also indicate other motivations such as hacktivism and/or geopolitical issues. However, the threat actor has made no explicit claims regarding their motivations.
Possible Impact and Risks of the Breach
- Risks to individuals: This data breach puts affected individuals at immediate risk of identity theft, extortion, and spear-phishing attacks. The exposure of national identity card numbers is especially serious because these identifiers cannot be revoked and are widely used across Iranian government services and financial institutions.
- Violations of patient privacy: Attackers gained unauthorized access to medical records, directly violating patient privacy rights. This exposure may lead to serious social consequences, including stigmatization, discrimination by health insurance providers, where stolen data can fuel targeted fraud schemes—a growing global problem as detailed in our report on health insurance scams surging worldwide—and potential threats to personal safety linked to a patient’s medical condition.
- Risk to operational and national security: If attackers compromise access controls, they can alter patient records, disrupt healthcare services, or use ransomware to extort funds. On a broader scale, adversaries can exploit aggregated national health data to gather intelligence, build population profiles, and undermine trust in the country’s digital healthcare infrastructure.
Right now, no one has independently confirmed the data breach. The Iranian government has not commented on the incident, leaving it unclear which platform was compromised.
Necessary Steps to Address Risk Associated with the Data Breach
If authorities confirm the suspected breach of the Iranian healthcare site, it will significantly impact the personal data of a large number of affected individuals. Additionally, it will show that as the use of healthcare data increases, so too does the sophistication of tactics that a potential threat to this data is using.
The new methods involve using encrypted platforms to trade health data. It’s super important that network security folks and government agencies work as a team to lessen the damage from this attack and stop similar ones in the future.
Also, different groups should take certain steps to guard themselves from possible problems caused by this event.
- Possible victims: Those affected in Iran should be monitoring their medical accounts for suspicious activity, enabling two-factor authentication wherever possible, and be particularly watchful of any phishing schemes involving personal or medical information.
- Healthcare providers/organizations: This incident serves as a reminder of the importance of implementing strict access control measures, credential monitoring processes and performing routine security audits on all medical data platforms that hold large-scale, national citizens’ data.
- Researchers: The incident is indicative of the growing trend of utilizing the internet and encrypted applications for trafficking caches of sensitive national infrastructure databases and necessitates increased monitoring of the dark web and encrypted applications for early detection of breaches.
