A near-complete user export from DataCamp, the data-science learning platform, is circulating through closed channels and recently surfaced on a public forum. The dataset spans roughly 760,000 accounts and includes far more than the email-and-password pair typical of older breaches.
The export reads like a dump from a production database rather than a curated leak. Each row carries a numeric user ID, email address, bcrypt-hashed password, password reset token, sign-in count, last sign-in timestamp and IP address, account creation date, authentication tokens, name, location, education, biography, avatar metadata, Coursera integration flag, and identifiers for Stripe, PayPal, and Braintree customer profiles. Group memberships and inviter relationships are present too, which means the data describes who taught whom and who invited whom inside corporate teams that used DataCamp for training.
Bcrypt is doing its job, mostly
The good news for DataCamp users is that the passwords were stored as bcrypt hashes, which remains the right answer for that problem. Cracking individual bcrypt hashes is slow enough that mass conversion to plaintext is impractical without unusual budget or unusually weak passwords. The bad news is that the rest of the dataset is plenty useful on its own. Reset tokens, authentication tokens, payment-processor IDs, and last-sign-in IPs together describe an account at a level of detail that the average user never expects to leave the database.
The exposure of corporate-team membership data is the part most likely to interest opportunistic attackers. Knowing who at a target company holds which seat on a learning platform is the kind of breadcrumb that makes a convincing pretext for follow-on phishing.
What to do
If your DataCamp account is in the file, rotate the password. Revoke any active sessions, invalidate the integration tokens, and check that the connected payment profiles have not been reused. The dataset is searchable here.