- PcComponentes denies claims of a breach and confirms that only a credential attack took place
- Hacker claimed to have stolen 16.3 million the company says far fewer accounts were affected
- Future logins require CAPTCHA and mandatory two-factor authentication for increased security
Spanish PC component retailer PcComponentes has denied suffering a major data breach – but confirmed it was hit by a credential attack.
A cybercriminal recently posted a new thread on an underground forum claiming to have stolen sensitive data from the company. Offering the archive for sale, the hacker – dubbed ‘daghetiaw’ – says it contains 16.3 million records, including people’s names, postal addresses, IP addresses, product wish lists and customer support messages generated through Zendesk.
To prove the authenticity of their claims, the hacker also published a sample of 500,000 records.
Weird campaign
Soon after, PcComponentes published a notice on its website saying that it was never breached and that the claims made by the hacker are false.
“There has been no illegal access to our databases or internal systems,” the company said, according to a machine-translated statement.
“The figure of 16 million customers allegedly affected is false, as the number of active accounts on PcComponentes is significantly lower.”
The company then explained that its investigation showed it suffered a credential attack. A threat actor obtained login credentials elsewhere on the dark web and attempted to use them on the platform.
Customers who use the same password across multiple services have most likely been hacked and whatever information they have stored on their account has most likely been captured.
However, PcComponentes also played down this incident, saying that only a handful of customers were affected and the stolen data was not that important.
“Similarly, illegitimate access has not been massive, that is, only some customers have been affected,” it said. “Bank details have not been compromised under any circumstances, as PcComponentes does not store them. For this reason, there is no risk of bank details being stolen,” it explained.
“Customer passwords are never stored in our database.”
Through credential stuffing, the cybercriminal was able to obtain people’s names, IDs, mailing addresses, IP addresses, and phone numbers.
Going forward, all users logging in must first solve a CAPTCHA and must configure 2FA.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
