PcComponentes denies data breach, confirms credential stuffing attack

Spanish technology retailer PcComponentes has denied claims of a widespread data breach affecting 16 million customers, but has confirmed that its systems were subjected to a credential stuffing attack. The company, a major player in the Spanish e-commerce market for computer hardware and electronics, stated that the reported number of affected customers is inaccurate, according to a recent report by Bleeping Computer.

A threat actor known as "daghetiaw" initially claimed to have stolen a database containing 16.3 million customer records, leaking a portion and offering the remainder for sale. The purported stolen data included order details, physical addresses, names, phone numbers, IP addresses, wish-lists, and customer support messages. However, PcComponentes' investigation found no evidence of unauthorized access to its databases. The company did confirm a credential stuffing attack, where attackers used reused email addresses and passwords from other breaches to attempt to access PcComponentes accounts. Threat intelligence firm Hudson Rock indicated that the login data likely originated from computers infected with info-stealing malware.

In response to the credential stuffing attack, PcComponentes has implemented enhanced security measures, including CAPTCHA on login pages and mandatory two-factor authentication (2FA) for all accounts. All active sessions have been invalidated, requiring users to re-authenticate and enable 2FA.

Source: Bleeping Computer