Spanish online electronics retailer PcComponentes has denied a hacker’s claims to have stolen data on its customers.
Hackrisk.io, a strategic cyber threat intelligence platform developed and maintained by Hackmanac, reported that a malicious actor using the alias ‘daghetiaw’ claimed to have hacked the e-commerce company, adding that it was attempting to verify the claim.
According to Hackrisk.io, the hacker allegedly stole data relating to 16.3 million people, including tax identification numbers, orders, invoices, addresses, contact details, Zendesk tickets, credit card metadata, IP addresses, and purchase information. The platform notes that the hacker has shared a sample of 500,000 lines as proof of the data theft from PcComponentes.
CSO contacted PCComponentes, which issued a statement explaining that there had been no unauthorized access to its databases or internal systems.
“What we have detected is a phenomenon known in cybersecurity as credential stuffing. This means that a third party has used email addresses and passwords obtained from security breaches in compromised databases outside of PcComponentes,” the statement said, adding, “The categories of data affected are: name, surname, ID number (in cases where the customer has entered it), address, IP, email, and telephone number.”
PcComponentes said, “The figure of 16 million customers allegedly affected is false, as the number of active accounts on PcComponentes is significantly lower. Furthermore, the illegitimate access has not been widespread, meaning that only some customers have been affected.”
It also explained that bank details have not been compromised in any case, “since PcComponentes does not store them, but only keeps a security code (token) that is used to identify the payment, but does not allow the card to be viewed or charges to be made on its own. This code has no value outside the payment system and cannot be used fraudulently. For this reason, there is no risk of bank details being stolen”; nor are customer passwords, as “they are never stored in our database. Instead, they are converted into a secret, encrypted code (hash). This code is irreversible, which means that neither we nor anyone else can see the original password.”
Finally, PcComponentes reports that it has implemented a series of measures aimed at minimizing the impact of this incident, which “significantly strengthen account protection and reduce the risk of illegitimate access from compromised databases outside PcComponentes that are published on the internet.”
This article originally appeared on Computerworld/CSO España.