A hacker has claimed to have stolen sensitive data of workers of Sorbonne Université, one of France’s leading institutions, and is posting samples on the darknet — the hidden part of the internet where such illicit markets and forums operate. This incident was disclosed by the cyber threat intelligence platform Daily Dark Web on December 1, 2025.
According to Daily Dark Web’s report, a hacker on the darknet has posted a sample of the allegedly exfiltrated data, which might pose a major risk to the institution’s 3,000+ workers. The data spans from regular professional identity information to financial records and extensive contractual records.
Although the college has yet to verify the claims, the published samples already provide disturbing evidence that the attackers have exposed comprehensive personal and payroll documents.
Cybercriminals are increasingly targeting research and educational institutions for financial fraud or identity theft, putting them at greater risk of cyber threats. This mirrors a concerning trend of hackers specifically going after prominent European organizations. We saw it recently when the Italian textile giant Fulgar was breached by the RansomHouse gang and had its data leaked on the dark web.
This time’s case study presents an example of how the growing exposure and vulnerability of research and educational institutions have increased their risk of becoming victims of advanced types of cybercrime, such as ransomware.
Details of the Compromised Data
According to the disclosure, the threat actors noted seven segments of leaked data in their post. However, they have only exposed a small portion of the stolen data to the public on the dark web.
The attack appears to be specifically targeting extensive records of the institution’s employees, which makes the leaked data way more dangerous than regular contact lists.
Researchers analyzed the sample file distributed by the hacker and confirmed records of more than 32,000 workers’ entries. Just this initial sample comprised a vast amount of comprehensive details that other threat actors can easily leverage for nefarious purposes. Crucial sections of data claimed by the hackers or confirmed include:
- Expert identifiers (complete names, departments, positions, internal ID numbers)
- Contract status
- Internal employee codes
- Possible zip codes
Given the massive volume and exactness of the records, one can easily see a deep breach into the prestigious institution’s payroll and Human Resources systems. In the wrong hands, these data can provide threat actors with access to social engineering attacks, enabling them to focus on workers with customized messages that seem legitimate.
Additionally, the threat actors are particularly claiming to possess various sensitive data categories that pose the highest degree of risk to the institution. These documents include: full compensation records (salary history, allowances, digitized payslips, and bonuses), comprehensive contractual files (amendments, commencement/conclusion dates, and PDFs).
The hackers claim they possess bank account numbers (BIC, RIB/IBAN), which are used in facilitating salary payments. Also, they claim to hold social security numbers of staff, CVs, diplomas, cover letters, and certificates of mutual/insurance.
Attackers can weaponize all these documents for identity theft and fraud. Thus, this changes the nature of the cyber breach from a data exposure to a significant financial security problem for all affected individuals.
Possible Effects and Institutional Response
The effects of this hack go far beyond mere data loss and pose immediate dangers to the individuals involved. Analysts noted that the main risk is the possibility of hackers using the exposed data for social engineering attacks, impersonating known entities to steal funds or more data.
Individuals who have provided accurate social security numbers and banking information are at risk of direct financial fraud. As of the press time, Sorbonne Université has not replied to queries or confirmed the claim of the dark web hacker.
