Mexico has had some pretty tough months in terms of cybersecurity. Many of its institutions and organizations have been victims of a cascade of security breaches that have exposed sensitive information of their users. Since the data leak of the Mexican Social Security Institute (IMSS) to the security breach from the National Autonomous University of Mexico (UNAM), passing through vulnerability in Telcel systemseither signs of leak In the Tax Administration Service (SAT), the list is extensive and worrying.
The context. Between September 2025 and January 2026, Mexico has recorded at least a dozen serious cybersecurity incidents that have affected public organizations and private companies. The IMSS, the National Employment Service, the Ministry of Education of Chiapasthe Federal Electricity Commission and various state agencies have seen their systems compromised. The result has been the violation of sensitive data of millions of Mexicans.
The UNAM case. The National Autonomous University of Mexico, confirmed A few weeks ago it suffered an unauthorized intrusion into five of its more than 100,000 computer systems during the holiday period. Although the university assured that no personal information was extracted, the investigation by journalist Ignacio Gómez Villaseñor revealed that the hacker identified as ByteToBreach would have accessed data of more than 380,000 students and academics, including registrations, institutional emails and encrypted passwords.
According to the journalist, the attacker also had access to sensitive documents that include complaints of workplace harassment, alleged academic plagiarism, and confidential communications from the rector’s office.
The background. According to account Villaseñor, the UNAM security breach was not a sudden event. The journalist shows internal documents revealing that the university detected a first illicit access on March 13, 2025 and filed a complaint with the Attorney General’s Office, although the case did not progress.
The final attack, which occurred between December 31 and January 1, coincided with the fact that engineers and developers from the Technology Projects Coordination had not been collecting fees for months due to “audit processes”, according to an internal letter from September 2025. The situation coincided with the exploitation of a critical vulnerability (CVE-2025-66478) in Next.js servers that allowed the massive hack.
The protagonist. ByteToBreach is not unknown in the world of cybercrime. According to SOCRadarhas been operating as a merchant of stolen databases since at least June 2025. It has been linked to breaches affecting airlines, banks, government institutions and health systems in several countries. In Mexico, in addition to the UNAM, is attributed the attack on the Invoice SAT Móvil application in December 2025, although the organization denied that its systems were compromised despite the technical evidence presented by the attacker.
The Telcel scandal. Less than 24 hours after the entry into force of the mandatory registration of mobile lines in MexicoTelcel, one of the largest operators in the country, also faced a serious security vulnerability. On January 9, 2026, Gómez Villaseñor denounced that the company’s official portal allowed the personal information of millions of clients to be consulted without the need for passwords or verification codes: identity, CURP (Unique Population Registry Code), RFC (Federal Taxpayer Registry) and email were exposed simply by entering a telephone number.
Although Telcel initially issued a statement ambiguous stating that the data was secure, Renato Flores, deputy director of communications for the company, recognized hours later on national radio that “there was a technical vulnerability” that was immediately corrected. The company insisted that users could only access their own information, although the journalist published a video proving the opposite.
Answer. After the events, the UNAM assured that will not spare resources in cybersecurity during 2026. Rector Leonardo Lomelí Vanegas indicated that a network of internal experts and training programs would be created, while ensuring that the security of its systems would be fortified. To this end, an Internal Regulation of the Technical Committee for Computing Governance has been approved and seven specialized subcommittees have been established, including one specifically dedicated to computer security.
Real risks. These security breaches pose a real risk to citizens. With data such as CURP, RFC, university registrations and emails circulating on the black market, the risks include identity theft, impersonation to carry out fraudulent procedures, phishing campaigns targeted targeting and access to accounts on other platforms if passwords are reused. And the leak of medical information from the IMSS, fiscal data from the SAT and educational records creates a complete profile of citizens that can be exploited in multiple ways.
In this sense, users have no choice but to remain alert: not providing sensitive data by SMS, calls or emails without verifying the identity of the requester, changing compromised passwords and monitoring possible fraudulent use. On the other hand, it never hurts to activate mechanisms of two factor authentication whenever possible. As much as we repeat these instructions when security breaches of this magnitude arise, they are really basic steps that are in our power and that can greatly minimize the risks.
GIPHY App Key not set. Please check settings