PcComponentes Denies Major Data Breach, Confirms Limited Credential Stuffing Attack Spanish electronics retailer PcComponentes has refuted claims of a large-scale data breach after a hacker alleged the theft of 16.3 million customer records. The company acknowledged a credential stuffing attack but stated that far fewer accounts were impacted than claimed. The incident began when a threat actor, identified as daghetiaw, posted on an underground forum offering a dataset purportedly containing names, postal addresses, IP addresses, product wishlists, and Zendesk customer support messages. To validate the claim, the hacker released a sample of 500,000 records. PcComponentes responded with a public statement, asserting that no unauthorized access to its databases or internal systems occurred. The company disputed the hacker’s claim of 16 million affected accounts, noting that its active user base is significantly smaller. Instead, it confirmed a credential stuffing attack, where attackers used leaked login credentials from other breaches to gain access to some accounts. While the company downplayed the severity, it confirmed that exposed data included names, IDs, postal addresses, IP addresses, and phone numbers but not financial details, as PcComponentes does not store payment information. Customer passwords were also not compromised, as they are not retained in the company’s database. As a precaution, PcComponentes has implemented mandatory CAPTCHA verification and two-factor authentication (2FA) for all future logins. The incident was first reported by BleepingComputer.

PcComponentes Denies Data Breach but Confirms Credential Stuffing Attack Impacting Customers Spain’s leading technology retailer, PcComponentes, has refuted claims of a major data breach affecting 16 million customers but confirmed a credential stuffing attack exposed sensitive account details. The incident emerged after a threat actor, daghetiaw, posted a purported database containing 16.3 million records on hacker forums, leaking 500,000 entries and offering the remainder for sale. The leaked data included order histories, physical addresses, full names, phone numbers, IP addresses, product wishlists, and customer support messages exchanged via Zendesk. However, PcComponentes stated that no financial details or passwords were stored on its systems and that the claimed 16 million affected accounts was exaggerated, as its active user base is significantly smaller. An investigation revealed the attack stemmed from credential stuffing where attackers used reused login credentials from previous breaches to access accounts. Threat intelligence firm Hudson Rock traced the compromised credentials to info-stealing malware infections, with some logins dating back to 2020. A sample of verified emails from the leak matched records in existing infostealer logs. For affected accounts, exposed data included: - Full names - National ID numbers - Physical addresses - IP addresses - Email addresses - Phone numbers In response, PcComponentes implemented CAPTCHA protections, mandatory two-factor authentication (2FA) for all accounts, and invalidated active sessions, forcing users to re-authenticate with 2FA enabled. The company did not disclose the exact number of impacted customers.