PcComponentes Denies Data Breach Claims as Fake
▼ Summary
– PcComponentes denies a data breach of its systems but confirms it suffered a credential stuffing attack where attackers used credentials from other breaches.
– A threat actor leaked 500,000 customer records and claimed to have 16.3 million, but the company states the number of active accounts is far lower.
– The exposed data for a small number of accounts includes names, addresses, IDs, and contact details, but no financial data or passwords.
– An investigation suggests the leaked credentials likely came from computers infected with info-stealing malware, not from a direct breach of PcComponentes.
– In response, the company has enforced two-factor authentication, added CAPTCHA, logged all users out, and advised customers to use strong, unique passwords.
PcComponentes, a leading Spanish technology retailer, has firmly refuted allegations of a massive data breach affecting 16 million customers, clarifying instead that its platform was targeted by a credential stuffing attack. The company, which attracts an estimated 75 million annual visitors to its marketplace for computers and hardware, launched an investigation after a threat actor using the alias ‘daghetiaw’ advertised a purported customer database online. This actor leaked a sample of 500,000 records and offered to sell the remaining data.
The leaked information reportedly included extensive personal details such as full names, physical addresses, phone numbers, IP addresses, order histories, and even customer support conversations. However, PcComponentes states its security teams found no proof of any unauthorized intrusion into its internal databases or systems. The company emphasized that the claimed figure of 16 million compromised accounts is inaccurate, noting its active user base is substantially smaller. It also reassured customers that financial information and passwords are not stored on its servers.
The investigation did confirm a separate security incident: a credential stuffing attack. This common tactic involves attackers using automated tools to test login credentials, often sourced from older, unrelated data breaches, against other websites. In this case, threat intelligence analysts at Hudson Rock linked the exposed email addresses and passwords to logs from computers infected with information-stealing malware, some dating back to 2020.
For a limited number of accounts where attackers successfully gained access, the exposed data may include names, national ID numbers, addresses, IPs, email addresses, and phone numbers. In response, PcComponentes has rolled out several enhanced security measures. These now include implementing CAPTCHA challenges on login pages, making two-factor authentication (2FA) mandatory for all user accounts, and invalidating every active session. Customers will find themselves logged out and must enable 2FA before they can access their accounts again.
The retailer advises all users to adopt strong, unique passwords for every online service, consider using a reputable password manager, and remain alert for any suspicious phishing attempts following this event. While the exact number of impacted accounts remains undisclosed, the company’s actions aim to prevent similar automated attacks in the future and bolster account security across its platform.
(Source: Bleeping Computer)
