A major data dump tied to Vietnam’s National Credit Information Center (CIC) has surfaced on criminal forums, with the ShinyHunters group claiming to sell more than 160 million records of sensitive financial and identity data. Vietnam’s central bank has confirmed a breach at CIC and ordered the agency to work with authorities, while independent researchers say samples show the leak is real and extensive.
What Happened and How the Leak Emerged
ShinyHunters announced on an illicit forum that it had exfiltrated massive credit and identity records from CIC, one of Vietnam’s four licensed credit information providers. The group listed a negotiable price of $175,000 for the dataset and described the contents as including PII, credit payment histories, risk analyses, encrypted card data, military and government IDs, tax IDs, income statements, and records of debts owed.
ReSecurity, a cybersecurity firm that engaged directly with the sellers, purchased sample records to verify the claim. The company reports the samples included timestamps from 2025, with the newest entries dated February 2025, suggesting recent or ongoing exposure. Vietnam’s State Bank confirmed the incident and instructed CIC to cooperate with investigators.
What Data Appears to Be Exposed
Samples obtained by ReSecurity and described in their report indicate a wide range of sensitive fields. The leaked categories reportedly include:
- Full names and identifying details (dates of birth, emails, phone numbers)
- Credit payment histories and balance records
- Income statements, employment and contact information
- Banking-related details and some encrypted credit card data
- Military, government and tax identity numbers
- Risk analysis and credit assessment data
Local reporting says authorities have not disclosed the exact number of affected accounts. ReSecurity confirmed the stolen samples referenced major Vietnamese lenders, including VietCredit, MB Bank, Ocean Bank, VPBank, Sacombank and Agribank.
Scale, Pricing, and Dataset Claims
ShinyHunters offered the dataset for sale with a negotiable price around $175,000 and claimed the full collection exceeds 2.6 billion lines across multiple categories. The advertised 160 million records, in a country with a population of about 102 million, imply that datasets may contain historical entries, multiple records per person, or aggregated records drawn from many sources.
ReSecurity said it contacted more than 100 randomly selected individuals listed in the samples to check authenticity; those contacts validated the data as real. None of those people had reportedly been notified by authorities about the exposure when researchers reached out.
How the Attack Was Carried Out, According to Researchers
ReSecurity reports that the attackers exploited a known but unpatched vulnerability in CIC’s end-of-life software. The firm says the vulnerability allowed unauthorized access to large portions of the credit bureau’s data. ShinyHunters did not attempt to extort CIC or the Vietnamese government, the group told ReSecurity, since payment was unlikely.
Vietnam’s State Bank also stated publicly that CIC and similar providers do not collect bank account balances, transaction histories, debit or credit card CVV/CVC data, or full payment histories—clarifying what was and was not expected to be in the bureau’s holdings.
ShinyHunters’ History and Recent Activity
ShinyHunters is a prolific cybercrime group known for high-profile breaches. The group previously worked as part of a broader alliance sometimes described as “ShinyHunters-Lapsus-ScatteredSpider.” That conglomerate announced winding down operations recently, but marketplaces tied to the group remain active. ShinyHunters has a track record of posting and selling large datasets, and their presence on illicit forums continues to draw attention from law enforcement and researchers.
Criminal Uses and Market Value of the Data
Security experts warn that credit and identity data from a national bureau is a high-value commodity on the dark web. Typical criminal uses include targeted phishing, identity theft, synthetic ID creation, and financial fraud. On secondary markets, a single profile can sell from $10 to $100, while government IDs and high-value financial records command hundreds of dollars apiece. Given the scale reported in this incident, the potential yield for criminals could be large.
ReSecurity called breaches of national credit bureaus a “worst-case scenario” for cybersecurity professionals because they centralize sensitive data that supports lending and identity checks across the financial system. The CIC role as a central repository means a single successful breach can ripple across banks, insurers and other institutions.
Response from Authorities and Current Status
Vietnam’s central bank has publicly confirmed the breach and ordered CIC to cooperate with the investigation. At the time of reporting, officials had not released a detailed count of affected individuals or a timeline of the intrusions. ReSecurity and other investigators continue to analyze samples and trace the leak’s origin.
Researchers warn that data already circulating on criminal forums will likely be reused for fraud, while requests for purchases and leaks may continue. Authorities have urged restraint in sharing or using the stolen data and warned that unauthorized possession or distribution may carry legal penalties.
Why This Matters for the Financial System
The alleged CIC breach raises systemic concerns. Credit bureaus aggregate identity, credit and risk data used by lenders and service providers to make decisions. Exposure on this scale can enable fraud at many levels and complicate trust in financial checks that rely on centralized credit records. Investigators say the incident underscores the need for protecting critical national data stores and for transparent notification when records are exposed.
