Brinztech Alert: Alleged Database of ProctorU is on Sale (Hosted on pankhuri.co)

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of a database allegedly belonging to ProctorU (now part of Meazure Learning). The dataset reportedly contains 350,000 records and is being sold for $800.

Brinztech Analysis:

• The Anomaly (Pankhuri.co): The listing explicitly states the data “originates from pankhuri.co.” This is a critical forensic detail. Pankhuri.co is a known Indian social commerce platform for women. There is no logical business link between an Indian beauty/lifestyle startup and a US-based proctoring service.
  • Likely Scenario: This suggests the threat actor compromised the pankhuri.co server and used it as a “drop zone” or staging server to host data stolen from elsewhere (potentially ProctorU). Alternatively, the actor may be misattributing a database found on that server, or selling a “combolist” mixed from both sources.
• The Data: The 12.1 MB SQL file reportedly includes Student IDs, Full PII (names, addresses, phones), and encrypted bcrypt password hashes.
• Credibility Check: The record count (350k) is suspiciously close to the confirmed 2020 ProctorU breach (which affected ~444k users). Threat actors often “re-skin” old leaks, host them on newly hacked servers (like Pankhuri), and sell them as fresh “2025” breaches to unsuspecting buyers.

Key Cybersecurity Insights

Regardless of whether this is a new breach or a “zombie” leak, the threat to students and institutions is real:

• Credential Compromise Risk: The inclusion of bcrypt password hashes is significant. While bcrypt is robust, if these are older hashes from 2020, attackers have had 5 years to crack them. If they are new (2025), it implies a fresh SQL injection vulnerability.
• Targeted Phishing & Social Engineering: The dataset is explicitly marketed for “academic phishing.” Attackers can use the Student IDs and Address data to craft highly convincing emails pretending to be university registrars or proctors, demanding urgent fees or “exam verifications.”
• Third-Party Supply Chain Vulnerability: The bizarre connection to pankhuri.co highlights the complex web of modern cybercrime. A breach at a totally unrelated social commerce site in India is now facilitating the distribution of US student data.
• Identity Profiling: The “training access” marketing angle suggests criminals may use this data to create synthetic identities for student loan fraud or to bypass background checks.

Mitigation Strategies

In response to this claim, academic institutions and users must take immediate action:

• Mandatory Password Reset: Users should assume their ProctorU credentials are compromised. Force a password reset immediately. Crucially, if you use the same password for your university portal (.edu email), change that too.
• Verify Data Age: Security teams should check if the exposed “350,000” records correlate with the known 2020 breach victims. If new, post-2020 students are in the list, this is a confirmed fresh breach requiring immediate regulatory reporting.
• Enhanced Phishing Awareness: Warn students to be skeptical of emails referencing “ProctorU” or “Exam Scheduling,” especially if they come from unusual domains.
• Third-Party Security Review: Universities using ProctorU should demand a security audit to confirm if this data exfiltration occurred via a current vulnerability or if it is merely a repost of old data.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com