IEEA Campeche: l1ghtSoulHem Claims Staff and Student Database Leak

On June 3, 2026, threat actor l1ghtSoulHem (operating under the SoulHemTeam banner) posted what they claim is a full database leak from the Instituto Estatal de Educación para Adultos (IEEA) Campeche, the Mexican state agency responsible for adult education in Campeche. The actor released the dataset as a free leak on an underground forum, with distribution routed through a Telegram channel. The exposure allegedly includes staff and student personally identifiable information (PII), CURP national identifiers, and salary records. As of publication, the claim remains unverified, and neither IEEA nor Campeche state authorities have publicly responded.

What Happened

A sample staff directory was published to an underground forum on June 3, 2026, with the actor advertising the full dataset for free download via an associated Telegram channel. The post identifies IEEA Campeche (inea.gob.mx) as the source, and the redacted preview screenshot includes records consistent with internal directory data from a state government body. No record count has been disclosed by the actor, so the total scope of the dataset is currently unknown. The leak fits a broader pattern of free-distribution dumps targeting Mexican government entities observed over the last several days, including a June 2 leak from the Nayarit Public Property Registry and a June 1 INEGI Mexico data dump.

What Was Taken

Per the actor's post, the dataset allegedly contains:

• Full names of staff and students
• Phone numbers
• Email addresses
• CURP (Clave Única de Registro de Población) national identifiers
• Employee and worker records
• Student records (adult education enrollees)
• Salary information for staff
• State agency directory data

CURP is the single most sensitive field in this set. As a lifelong, unique identifier issued by the Mexican government, it underpins tax, banking, healthcare, and social benefits enrollment. Unlike credentials, CURP cannot be rotated.

Why It Matters

IEEA Campeche serves adult learners, a population that is disproportionately likely to lack the digital literacy and financial buffer to absorb identity-theft fallout. The combination of full name, CURP, contact data, and (for staff) salary information is a near-complete fraud kit: it enables SAT (tax authority) impersonation, CFE utility account takeover, fraudulent loan applications, and targeted phishing tied to known employment status. Salary data also creates targeting leverage for extortion and social engineering against specific staff members. Strategically, this is the third Mexican government dataset dumped for free in three days, suggesting either a coordinated campaign or competing actors signaling capability against weakly defended state-level agencies.

The Attack Technique

The actor has not disclosed an initial access vector, and no technical artifacts have been published alongside the leak. State-level Mexican education and registry bodies have historically been compromised through exposed administrative panels, SQL injection against legacy PHP web applications, and credential reuse from prior leaks. The free-leak monetization model, with no extortion phase, suggests either reputation-building behavior by a newer actor or that the data was deemed low-resale-value after failed private sale attempts.

What Organizations Should Do

1. Mexican state agencies, particularly education and civil registry bodies, should immediately audit internet-facing administrative portals for default credentials, unpatched CMS instances, and exposed database endpoints.
2. IEEA Campeche staff should be issued a fraud-awareness advisory covering SAT, CFE, and bank impersonation attempts, with explicit guidance that legitimate agencies will not request CURP verification by phone.
3. Treat any account using CURP as a knowledge-based authentication factor as compromised for the affected population; require step-up verification on banking and government portals.
4. Threat intelligence teams should ingest l1ghtSoulHem and SoulHemTeam as monitored identifiers and track the associated Telegram distribution channel for follow-on dumps targeting other Mexican states.
5. Affected individuals should be guided to file a CURP-misuse complaint with CONDUSEF and monitor Buró de Crédito reports for unauthorized inquiries.
6. Peer state agencies should assume similar exposure and proactively rotate any shared service credentials, VPN access, or federated authentication tokens that overlap with IEEA Campeche systems.

Sources: IEEA Campeche Data Breach: Hackers Claim to Leak Staff and Student Records