Mansoura University: 1M Egyptian Student Records for Sale

Mansoura University, one of the largest public institutions in Egypt with more than 200,000 students across nine faculties, is now reportedly the subject of one of the largest higher education data breaches ever surfaced from the region. On May 29, 2026, a threat actor using the moniker BF! INT3X posted an 11GB archive for sale on a monitored cybercrime forum and described it as a near complete extraction of the university's student records, administrative documents, and research outputs spanning 2006 to the current academic year. Two weeks earlier, on May 11, the same actor dropped 731 staff contact records for free, framing the leak as retaliation for the university's "lack of response" to an earlier, undisclosed incident. The two posts are almost certainly the same intrusion at different stages.

Key Takeaways

• A threat actor calling itself BF! INT3X listed an 11GB Mansoura University database for sale on a cybercrime forum on May 29, 2026, claiming nearly one million student records.
• The dataset is reported to contain student full names, Egyptian National ID numbers, academic histories, and a mix of plaintext and hashed passwords spanning 2006 to the 2025-2026 academic year.
• Approximately 4.96GB of the archive is described as unpublished proprietary research documents, and 600MB consists of student ID photo imagery.
• On May 11, 2026, the same actor publicly released 731 staff contact records for free, citing the university's failure to respond to a previous notification as the reason.
• The 20 year temporal coverage of the dataset implies long term undetected persistence inside the university network, or a compromise of an unsegmented legacy backup that retained two decades of records.

What Is in the Dataset?

Per the forum listing summarized by independent monitoring services including Brinztech and VECERT, the 11GB Mansoura University archive breaks down roughly as follows:

• Student records: about 1 million unique entries with full names, Egyptian National ID numbers, academic course history, faculty assignments, and credentials. The credentials field is a mix of plaintext entries and hashes of varying strength.
• Research documents: 4.96GB of unpublished and internal research outputs across multiple Mansoura faculties, including grant proposals and draft manuscripts.
• Administrative and operational documents: 3.72GB of internal university paperwork, including procurement, HR, and faculty correspondence.
• Student ID imagery: 600MB of photographs used to print physical student identification cards.

The presence of student ID photos alongside national identifiers makes the dataset useful for identity fraud at scale. The presence of 20 years of academic history makes it useful for adversaries running long term influence or recruitment operations against Egyptian graduates now in government and industry roles. The two combined are why a higher education breach of this shape draws more attention than the record count alone would suggest.

How Did the Two Leaks Tie Together?

On May 11, 2026, BF! INT3X released a smaller 731 record contact list for free, posting on a dark web forum in collaboration with handles tracked as quellostanco, CrowStealer, and @bigF. The accompanying note said the university "did not respond or confirm anything regarding a previous leak," and framed the public release as a consequence of that silence. The May 11 dump contained staff full names, work emails on the *.edu.eg domain, phone numbers, job titles, and departmental assignments.

Eighteen days later, on May 29, the same actor returned with the full 11GB archive and put it up for sale rather than public release. The pattern, smaller free release as a pressure tactic followed by a paid auction of the full dataset, is consistent across multiple recent academic breaches and suggests the attacker either negotiated unsuccessfully with the institution or chose to skip negotiation entirely. The university had not, as of the listing date, published any statement acknowledging either disclosure.

Why Does the 20 Year Range Matter?

A dataset that includes both 2006 records and the current academic year tells you something specific about the breach. Either the attacker has been resident inside Mansoura's network for an extended period and is exfiltrating in waves, or, more likely, the attacker reached a single unsegmented legacy backup or archive system that contained the full historical roll forward.

Both possibilities are bad. Long term resident access means the attacker has had time to map the rest of the environment, plant additional backdoors, and collect credentials beyond what is in the auction listing. A compromised legacy archive means the university's retention policy retained personally identifying records well past the operational need for them, exposing graduates whose data should arguably have been minimized years ago. Egyptian universities, like most public higher education institutions globally, are not bound by retention rules with the bite of GDPR Article 5(1)(e); the practical result is decades of recoverable personal data sitting on slow moving infrastructure.

What Is the Downstream Risk?

Three distinct downstream uses to expect from a dataset of this composition:

• Targeted phishing of Egyptian alumni in foreign jobs. Mansoura graduates work in Gulf states, North Africa, and Europe in significant numbers; a national ID, a graduation year, and a faculty name together make extremely credible spear phishing pretexts that can survive normal scrutiny.
• Identity fraud against Egyptian government services. Egyptian National IDs are the linchpin for tax registration, civil status, and banking onboarding. Pairs of (name, national ID, photo) like the ones in this dataset can be used to attempt account opens or document forgeries against banks and government portals.
• Credential stuffing across staff accounts. Plaintext passwords lifted from a university database that staff reused on email, cloud storage, or messaging applications give the attacker a stepping stone into corporate and personal accounts well beyond the university itself.

The credential stuffing risk is the one that bleeds furthest. A graduate who used the same password they set at Mansoura in 2014 on a Gmail account today is, in the worst case, one credential test away from having that Gmail compromised. From there an attacker has the alumni's address book, financial confirmations, and password reset capabilities for everything tied to that email.

What Should Affected Students and Staff Do?

If you studied or worked at Mansoura at any point since 2006 and you are reading this, assume your record is in the auction. Reasonable next steps:

• Change any password that has ever been the same as the one you used at the university. Use a password manager so no two services share a credential going forward.
• Enable two factor authentication on your primary email account if you have not already. The Mansoura dataset, if combined with a credential reuse hit, gives an attacker direct access to your inbox; 2FA blocks that without requiring you to remember which password leaked.
• Watch for phishing that references specific Mansoura faculty names, graduation years, or grant proposals you actually worked on. The attacker has the content to make those pretexts very specific.
• If you hold an Egyptian National ID issued during the affected period and you can monitor banking and tax registrations centrally, do so. Watch for new account opens you did not initiate.

For background on how higher education breaches play out at scale, the Instructure Canvas hack exposed 275 million records from 8,809 institutions in April 2026; the playbook in higher ed is the same one that hit Mansoura, only at a different scale.

What Happens Next?

Two near term outcomes. If the auction closes, the data moves into private buyer hands, surfaces in derivative scams within weeks, and stops being independently verifiable. If the auction stalls, the seller is likely to free release the dataset as a credibility move, which is exactly how the May 11 partial leak went. Either way, the records are out.

Longer term, the Mansoura case is the third major North African or Middle Eastern university breach surfaced in 2026. Higher education in the region has the same structural vulnerabilities as higher education globally: lots of personal data, lots of legacy systems, very little segmentation, and underfunded security teams. The cases are going to keep coming until either retention policies tighten or budgets for endpoint and identity monitoring come up.