- PcComponentes denies breach claims, confirming only a credential stuffing attack occurred
- Hacker alleged 16.3m records stolen; company says far fewer accounts were affected
- Future logins require CAPTCHA and mandatory two-factor authentication for added security
Spanish PC components retailer PcComponentes has denied suffering a big data breach – but did confirm it suffered a credential stuffing attack.
A cybercriminal recently posted a new thread on an underground forum, claiming to have stolen sensitive data from the company. Offering the archive for sale, the hacker – named ‘daghetiaw’ – says it contains 16.3 million records, including people’s names, postal addresses, IP addresses, product wishlists, and customer support messages generated through Zendesk.
To prove the authenticity of their claims, the hacker also published a sample of 500,000 records.
Weird campaign
Soon after, PcComponentes published a notice on its website, saying it was never breached and that the claims the hacker made are false.
“There has been no illegitimate access to our databases or internal systems,” the company said, as per a machine-translated notice.
“The figure of 16 million customers supposedly affected is false, as the number of active accounts on PcComponentes is markedly lower.”
The company then explained that its investigation showed it suffered a credential stuffing attack. A threat actor obtained login credentials elsewhere on the dark web and tried to use them on the platform.
Customers who use the same password across multiple services were most likely broken into, and whatever information they stored in their account, was most likely nabbed.
Still, PcComponentes downplayed this incident, as well, saying only a handful of customers were affected, and the data stolen was not that important.
“Likewise, illegitimate access has not been massive, that is, only some customers have been affected,” it said. “The bank details have not been compromised in any case since PcComponentes does not store them. For this reason, there is no risk of bank details being stolen,” it explained.
“Customer passwords are never stored in our database.”
Through credential stuffing, the cybercriminal was able to grab people’s names, IDs, postal addresses, IP addresses, and phone numbers.
Going forward, all users logging in will first have to solve a CAPTCHA and will have to set up 2FA.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/XXNiwpXEHaVmdz2z3wPeq3-970-80.jpg
Source link
