In a developing cybersecurity incident, threat actors have allegedly leaked sensitive user data from Nazdika, a popular Iranian social media platform.
The breach, first reported by dark web monitoring accounts, claims to expose millions of user records, though official confirmation remains pending.
Preliminary analysis suggests parallels with recent global cyberattacks targeting unprotected credentials and third-party vulnerabilities.
Data Exposure and Dark Web Sale
According to the post from Reports indicates that a threat actor operating under the alias “ShadowCollector” advertised a 4.2 GB dataset on underground forums, purportedly containing 12.7 million Nazdika user records.
The leaked information allegedly includes:
- Usernames and hashed passwords
- Email addresses and phone numbers
- Profile metadata (follower counts, engagement metrics)
- Geolocation tags from posts
Cybersecurity analysts note the dataset’s structure resembles previous breaches involving improperly secured MongoDB instances, a common attack vector in unpatched systems.
While Nazdika’s parent company has not verified the breach’s authenticity, the app’s presence in third-party datasets like the Myket Android marketplace (which listed “com.nazdika.app” among frequently installed apps) raises questions about supply-chain vulnerabilities in regional app ecosystems.
Potential Impact on Iranian Digital Privacy
The alleged breach carries significant risks for Iran’s tightly regulated internet landscape:
- Surveillance Escalation: User location data could enable physical tracking by state and non-state actors, particularly targeting activists and journalists.
- Cross-Platform Compromise: Recycled credentials may expose users’ accounts on parallel platforms like WhatsApp and Instagram, which remain partially accessible via VPNs.
- Phishing Infrastructure: Threat actors could leverage profile metadata to craft targeted social engineering campaigns in Persian, mirroring tactics used in the 2024 Thai healthcare breaches.
Notably, the leak coincides with increased Iranian government scrutiny of social platforms, prompting concerns that breached data might be weaponized for censorship or arrests.
Investigations and Mitigation Efforts
While Nazdika’s technical team reportedly initiated forensic analysis, cybersecurity firms highlight critical gaps:
- Authentication Flaws: Like the Snowflake breaches, compromised accounts lacked multi-factor authentication (MFA), allowing threat actors to exploit credentials stolen via infostealers.
- Third-Party Risks: Initial intrusion may have occurred through a Turkish analytics contractor, echoing NATO’s 2024 breach via compromised vendors.
Global infosec authorities recommend Nazdika users:
- Immediately rotate passwords and enable MFA
- Audit linked financial accounts for suspicious activity
- Monitor for blackmail attempts leveraging private messages
As of publication, Telegram channels affiliated with Iran’s Cyber Police (FATA) have not acknowledged the breach, maintaining standard advisories against “immoral social platforms.”
This developing story underscores the escalating cybersecurity challenges facing regional tech platforms, particularly those operating under sanctions regimes with limited access to international threat intelligence networks.
The incident mirrors patterns observed in the 2025 Aadhaar breach and IntelBroker attacks, where delayed disclosure exacerbated user risks.
Independent verification of the dataset’s authenticity remains pending from global cybersecurity coalitions.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The breach, first reported by dark web monitoring accounts, claims to expose millions of user records, though official confirmation remains pending.){kind=link}