Online retailer PcComponentes says data breach claims are fake

PcComponentes, a major technology retailer in Spain, has denied claims of a data breach impacting 16 million customers but confirmed it suffered a credential stuffing attack. A threat actor named ‘daghetiaw’ claimed to have published a customer database stolen from PcComponentes, containing 16.3 million records. They leaked 500,000 records and offered to sell the rest to the highest bidder.

PcComponentes states that its investigation found no evidence of unauthorized access to its systems. The company ensures there has been no illegitimate access to databases or internal systems, arguing that the figure of 16 million supposedly affected customers is false, as the actual number of active accounts is significantly lower. They emphasized that no financial details or customer passwords are stored on their systems.

However, PcComponentes acknowledged evidence of a credential stuffing attack which relies on reused login credentials from other services. An investigation by Hudson Rock indicated that the attackers probably collected login data from computers infected with info-stealing malware.

In response, PcComponentes has taken steps to enhance security, including implementing CAPTCHA on login pages, requiring two-factor authentication (2FA) for all accounts, and invalidating all active sessions. Customers are advised to use strong, unique passwords for each account and to remain vigilant for potential phishing messages.

For the complete article, visit Bleeping Computer. ✌️