Vietnam’s National Credit Bureau Hacked: ShinyHunters Claims Massive Data Breach
Some data breaches achieve global notoriety due to the sheer magnitude of those affected — such as the 2019 Facebook scraping incident, which exposed the records of 553 million users. Others unfold as national catastrophes: in 2019, a misconfigured database revealed the personal details of nearly the entire population of Ecuador; in 2006, an insider breach compromised almost all citizens of Israel; in 2016, an open voter database exposed data on more than 75% of Mexico’s population; and in 2024, the UnitedHealth Change Healthcare attack stripped 190 million Americans of their privacy.
Now, Vietnam joins this grim list. The group ShinyHunters has claimed responsibility for an attack on the Vietnam Credit Information Institute (CIC), the state-run National Credit Information Center overseen by the country’s central bank. This institution manages the registration, collection, processing, and storage of credit data, conducts risk analyses, and issues credit reports for both individuals and businesses. It also assigns credit ratings and produces specialized financial intelligence products.
In closed Telegram channels, ShinyHunters boasted that Vietnam was “taken in 24 hours.” Meanwhile, on a hacking forum, they listed the full dataset for sale, attaching a large sample as proof. The advertisement described the trove as containing “highly sensitive information,” including personal details, credit payment records, risk assessments, credit card data (requiring decryption of the FDE algorithm), tax and military identifiers, government-issued IDs, income statements, debt records, and more.
The site DataBreaches.net reached out to ShinyHunters to clarify the scale, noting that Vietnam’s population is just under 102 million. The hackers explained that the dump contained historical records, making it impossible to calculate the exact number of unique individuals, but insisted it covered the entire population. According to them, the tables held a staggering three billion rows of data. They claimed access was gained through an n-day vulnerability in software no longer supported — meaning no patch was available.
ShinyHunters stressed that no ransom demands were made, as they believed CIC would not respond. DataBreaches submitted an official inquiry to the center itself, but as of publication, no reply had been received. Thus, while the hackers’ evidence appears credible, their claims remain unverified.
The group also addressed attribution, stating that the operation was not linked to Scattered Spider or Lapsus$, but was entirely their own. They admitted that confusion over their identity has long persisted, with many in the community believing them to be separate collectives, a misunderstanding they have yet to resolve.
If confirmed, this would rank as Vietnam’s largest breach of personal and financial data and one of the most devastating in Asia. Beyond basic identifiers, it places at risk detailed credit histories, tax records, and even military documents. For a nation where the National Credit Information Center is central to the financial system, such a breach could erode public trust in institutions and provide fertile ground for widespread fraud and exploitation.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
