Cyber: Online Retailer Pccomponentes Says Data Breach Claims Are Fake

PcComponentes, a major technology retailer in Spain, has denied claims of a data breach on its systems impacting 16 million customers, but confirmed it suffered a credential stuffing attack.

The Spanish e-commerce company specializes in the sale of computers, laptops, peripherals, and hardware, and has an estimated 75 million unique marketplace visitors per year.

Yesterday, a threat actor named ‘daghetiaw’ published what they claimed to be a customer database stolen from PcComponentes, containing 16.3 million records. The threat actor leaked 500,000 records and offered to sell the rest to the highest bidder.

The leaked data contains order details, physical addresses, full names, phone numbers, IP addresses, product wish-lists, and customer support messages exchanged with the firm via Zendesk.

In an announcement today, PcComponents says that it investigated a possible breach of its systems, but its security experts found no evidence of unauthorized access.

"There has been no illegitimate access to our databases or internal systems," the company assures, adding that "the figure of 16 million supposedly affected customers is false, as the number of active PcComponentes accounts is significantly lower."

The company also underlined that no financial details or customer passwords are stored on its systems.

However, PcComponentes admitted that its investigation discovered evidence of a credential stuffing attack on its platform. This means that a threat actor tried email addresses and passwords from other security breaches or leaked databases to find PcComponentes accounts.

Credential stuffing attacks are typically automated and rely on large volumes of reused login credentials from other services.

An investigation from threat intelligence company Hudson Rock discovered that the attackers likely collected the login data from computers infected with info-stealing malware.

Source: BleepingComputer