Brinztech Alert: Alleged Database of 21,000 Saudi Citizens (Phone Numbers) is on Sale

Dark Web News Analysis

A threat actor on a known hacker forum is advertising the alleged sale of a database containing 21,206 phone numbers of Saudi citizens. The dataset is described as a “pure mobile list” with the Saudi country prefix (966) and is reportedly extracted from koraclub.net.

Brinztech Analysis:

• The Source: koraclub.net (referencing “Kora,” Arabic for football/ball) appears to be a sports or football-related forum/community. Such niche forums are frequent targets for scraping or SQL injection because they often lack the robust security of major corporate platforms but hold high-value, localized user data.
• The Data: The leak is specific—21,000+ valid mobile numbers. While it lacks passwords or financial data, a “clean” list of active numbers is a premium asset for SMS spam (Smishing) and SIM swapping gangs.
• Context: This incident occurs amidst a significant surge in cyber threats targeting Saudi Arabia in 2025. Reports from late 2025 highlight increased activity from ransomware groups (like Everest and Qilin) and hacktivists targeting Saudi government and private sectors. This leak adds to the “noise” of data exposure in the Kingdom.

Key Cybersecurity Insights

This alleged data breach presents a specific threat to individuals in Saudi Arabia:

• High Risk for Targeted Attacks (Smishing): The precise and clean list of Saudi citizen phone numbers significantly increases the likelihood of successful SMS phishing (smishing). Attackers can send messages impersonating trusted local entities (like Absher, banks, or delivery services) to trick users into clicking malicious links.
• Facilitation of Account Takeovers (ATO): The leaked phone numbers provide a crucial component for SIM swapping attacks. Threat actors can target these specific numbers to bypass SMS-based Multi-Factor Authentication (MFA) and gain unauthorized access to banking or social media accounts.
• Regional Privacy Concerns: This targeted leak of citizen data raises substantial privacy concerns in Saudi Arabia. It highlights that even “low-value” targets like sports forums can be weaponized to harvest PII (Personally Identifiable Information) that feeds into broader cybercrime campaigns.

Mitigation Strategies

In response to this claim, users of koraclub.net and Saudi citizens should take precautionary measures:

• Strengthen Multi-Factor Authentication (MFA): Move away from SMS-based OTPs. Switch to authenticator apps (Google/Microsoft Authenticator) or hardware tokens for all sensitive accounts. This neutralizes the threat of SIM swapping.
• Conduct Targeted User Awareness Training: Be vigilant against unsolicited SMS messages. Never click links in text messages claiming to be from government agencies or banks unless you initiated the request.
• Review Phone-Based Authentication: Organizations should audit their reliance on phone numbers for identity verification. Knowledge of a phone number should not be enough to reset a password.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com