The driving school platform Matferline.com would have suffered a SQL injection cyberattack and a threat actor who identifies as Macaroni claims on the dark web that they have more than 703,000 student records. Among the data they claim to have are DNI, names and surnames, email addresses, phone numbers, usernames, unencrypted passwords, registration data, account statements, and profile photos.
The breach stands out for a particularly delicate point. The service works with a network of more than 1,200 associated driving schools and, at the same time, the alleged attacker claims that the access keys would be stored unencrypted, a fact that would increase the risk for users if those passwords had been reused in other services.
The attacker offers the database for up to 35,000 dollars
Macaroni has priced the alleged database in various formats. They offer it for 35,000 dollars exclusively, for 17,000 dollars for basic access, or in batches of a thousand records with amounts between 750 and 1,000 dollars.
In addition to personal identifiers, the announcement attributed to the threat actor includes account information and profile photos. The combination of these fields would broaden the impact of the leak if the content ends up circulating outside that sales channel.
Given a case of these characteristics, affected users should review their accesses as soon as possible. Cybersecurity specialists recommend immediately changing passwords reused in other services to reduce possible chain accesses.
Escudo Digital awaits the company's response regarding the measures applied
The entity Escudo Digital has contacted Matferline to verify the facts and know what security measures the platform had implemented. For now, the company has not responded to that request for information.
The service belongs to Ediciones MATFER S.L., an Andalusian-origin company founded in 1998 by Manuel Tomás Fernández Ropero. The firm manages a road safety training platform with more than 1,200 associated driving schools.
If the intrusion and the volume of data end up being confirmed, the exposure would affect a wide set of students registered in the system. The most concrete data communicated so far by the alleged attacker places the information they claim to have extracted at more than 703,000 student records.