Brinztech Alert: CRITICAL: Spanish Service “SVIsual” (for deaf users) Breached; 100k “Full Kits” (Passwords, Security Q&A, Cookies) Leaked

Dark Web News Analysis

The dark web news reports a catastrophic, multi-vector data breach and sale of a database from SVIsual, a Spanish (EU) organization providing video-interpretation services for the deaf community. The database, containing 100,000 user lines and dated 2025 (i.e., fresh), is for sale on a hacker forum.

The leaked data is a “full kit” for total identity takeover:

• PII: Names, Addresses, Emails, Phone Numbers, DOB, Gender.
• Credentials: logins, passwords (likely plaintext or weakly hashed).
• Permanent Takeover Data: security questions and answers (!!!).
• MFA-Bypass Data: cookies (!!!).
• Contextual Data: mobile connection data, operating systems.

Key Cybersecurity Insights

This is a critical-severity incident with extreme, immediate risks. The nature of the data suggests this is an Infostealer malware log dump, not a standard server breach.

1. CRITICAL: The Source (Infostealer “Logs”): This is the #1 insight. The combination of passwords, cookies, and operating system data is the “smoking gun” for Infostealer malware (e.g., RedLine, Vidar). This means the 100,000 users’ computers were infected, and the malware stole all their saved browser data. The seller has simply aggregated all the logs related to “SVIsual”.
2. IMMEDIATE Risk 1: MFA Bypass (via Cookies): This is the most urgent threat. The attacker doesn’t need the password. The leaked cookies are active session tokens. The buyer can inject these into their browser to instantly hijack a user’s logged-in session, completely bypassing Multi-Factor Authentication (MFA).
3. IMMEDIATE Risk 2: Permanent Account Takeover (via Q&A): The leak of security questions and answers is catastrophic. Even if the user (or SVIsual) resets the password, the attacker still holds the keys to the account. They can use the “Forgot Password” flow, answer the security questions, and permanently lock the real user out.
4. IMMEDIATE Risk 3: Credential Stuffing: The logins and passwords will be used in automated attacks to take over other accounts (banks, email, social media) where the user has reused their password.
5. CRITICAL: GDPR (DSGVO) Failure & AEPD Report: As an EU (Spanish) organization, this is a worst-case breach under the General Data Protection Regulation (GDPR).
   • Special Category Data: The victims are users of a service for the deaf community. This is “data concerning health” and/or data of a vulnerable population, which carries the highest level of protection and penalties.
   • Mandatory 72-Hour Reporting: SVIsual is legally required to report this breach to the Spanish Data Protection Authority (AEPD – Agencia Española de Protección de Datos) within 72 hours of awareness.
   • Leaking plaintext passwords, cookies, and security questions is an extreme act of negligence that will attract maximum fines from the AEPD.

Mitigation Strategies

This is a “scorched earth” breach. All user credentials and sessions are compromised and must be fully reset.

1. For SVIsual (The Company):
   • IMMEDIATE: Force Invalidate ALL Sessions: This is the #1 priority to kill the leaked cookies and stop the MFA-bypass attacks. This must be done before the password reset.
   • IMMEDIATE: Force Password Reset: (As suggested) Mandate a password reset for all 100,000 users.
   • CRITICAL: Force Reset of ALL Security Questions: You must assume all security Q&A data is compromised. All users must be forced to set new ones (or, preferably, move to MFA).
   • MANDATORY: Report to AEPD: Report this breach to the AEPD immediately to meet the 72-hour legal deadline.
   • MANDATORY: Notify All Users: Immediately send a transparent breach notification to all 100,000 users. The warning must be explicit about the passwords, security questions, and cookies leak and the specific, high risk of credential stuffing and fraud.
2. For Affected Users:
   • CRITICAL: Change Reused Passwords NOW. If you reused your SVIsual password on any other site (email, bank, etc.), that account is compromised. Go and change those passwords immediately.
   • Enable MFA Everywhere: Use MFA on all your important accounts.
   • Phishing Vigilance: Be extremely skeptical of all incoming emails, texts, or calls. Attackers will use your real name, DOB, and security question answers to try and scam you.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? This analysis is based on threat intelligence from a dark web forum. A breach of this nature (Infostealer logs) is a critical-severity event, as it allows attackers to bypass MFA and permanently take over accounts. Brinztech provides cybersecurity services worldwide and does not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinztech.com