Full Report
In March 2025, almost 55k records were breached from the Hungarian education office website TehetségKapu. The data was subsequently published to a popular hacking forum and included email addresses, names and usernames.
Analysis Summary
# Incident Report: TehetségKapu Data Breach (March 2025)
## Executive Summary
In March 2025, the Hungarian education office website, TehetségKapu, suffered a data breach exposing nearly 55,000 records belonging to students, teachers, and Education Office employees. The compromised data, including names, email addresses, and usernames, was later posted on a hacking forum. Response actions focused on user notification urging password changes and the enabling of two-factor authentication.
## Incident Details
- Discovery Date: May 1, 2025 (When added to HIBP)
- Incident Date: March 2025
- Affected Organization: TehetségKapu (Hungarian Education Office website)
- Sector: Education/Government Services
- Geography: Hungary
## Timeline of Events
### Initial Access
- Date/Time: March 2025 (Exact date unknown)
- Vector: Not explicitly detailed in the source material. Assumed to be a system vulnerability exploited by an external threat actor.
- Details: Attackers gained unauthorized access to the TehetségKapu database.
### Lateral Movement
- *Information not available in the source material.*
### Data Exfiltration/Impact
- March 2025: Approximately 54.4 thousand records were exfiltrated.
- Data published to a popular hacking forum.
- Compromised Data: Email addresses, names, and usernames.
### Detection & Response
- Detection: Data appeared in Have I Been Pwned listings on May 1, 2025.
- Response actions: Users were advised to change their passwords immediately if they hadn't done so since 2025 and to enable Two-Factor Authentication (2FA).
## Attack Methodology
- Initial Access: Unknown (Likely exploitation of a vulnerability.)
- Persistence: *Information not available.*
- Privilege Escalation: *Information not available.*
- Defense Evasion: *Information not available.*
- Credential Access: *Information not available.*
- Discovery: *Information not available.*
- Lateral Movement: *Information not available.*
- Collection: PII (Names, emails, usernames) collected from the database.
- Exfiltration: Data posted publicly on a hacking forum.
- Impact: Data exposure of nearly 55k individuals associated with the Hungarian education system.
## Impact Assessment
- Financial: *Not disclosed.*
- Data Breach: Approximately 54,400 records involving PII (Email addresses, names, usernames).
- Operational: *No mention of operational downtime, but data integrity was compromised.*
- Reputational: Negative publicity stemming from the data breach publicized on HIBP and forums.
## Indicators of Compromise
- *No specific network or file IOCs (e.g., IP addresses, hashes) were provided in the source material.*
- Behavioral indicators: Publication of stolen PII on public hacking forums.
## Response Actions
- Containment: *Not detailed, but containment would have involved securing the TehetségKapu database.*
- Eradication: *Not detailed.*
- Recovery actions: Advising affected users to secure their accounts.
## Lessons Learned
- The immediate risk associated with public data leakage (posting on hacking forums) requires rapid user communication.
- The organization's security protocols were insufficient to prevent the unauthorized access and exfiltration.
## Recommendations
- Immediately mandate strong password policies and enforce the adoption of Two-Factor Authentication (2FA) for all user and administrative accounts.
- Conduct a full security audit to identify and patch the initial vector of compromise.
- Review data retention policies to minimize the storage of sensitive PII when not strictly necessary.