PcComponentes Denies Major Data Breach, Confirms Limited Credential Stuffing Attack
Spanish electronics retailer PcComponentes has refuted claims of a large-scale data breach after a hacker alleged the theft of 16.3 million customer records. The company acknowledged a credential stuffing attack but stated that far fewer accounts were impacted than claimed.
The incident began when a threat actor, identified as daghetiaw, posted on an underground forum offering a dataset purportedly containing names, postal addresses, IP addresses, product wishlists, and Zendesk customer support messages. To validate the claim, the hacker released a sample of 500,000 records.
PcComponentes responded with a public statement, asserting that no unauthorized access to its databases or internal systems occurred. The company disputed the hacker’s claim of 16 million affected accounts, noting that its active user base is significantly smaller. Instead, it confirmed a credential stuffing attack, where attackers used leaked login credentials from other breaches to gain access to some accounts.
While the company downplayed the severity, it confirmed that exposed data included names, IDs, postal addresses, IP addresses, and phone numbers but not financial details, as PcComponentes does not store payment information. Customer passwords were also not compromised, as they are not retained in the company’s database.
As a precaution, PcComponentes has implemented mandatory CAPTCHA verification and two-factor authentication (2FA) for all future logins. The incident was first reported by BleepingComputer.
Source: https://www.techradar.com/pro/security/top-pc-components-store-denies-data-breach
PcComponentes cybersecurity rating report: https://www.rankiteo.com/company/pccomponentes
"id": "PCC1769088339",
"linkid": "pccomponentes",
"type": "Breach",
"date": "1/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Limited (far fewer than 16.3 '
'million)',
'industry': 'Electronics',
'location': 'Spain',
'name': 'PcComponentes',
'type': 'Retailer'}],
'attack_vector': 'Leaked login credentials from other breaches',
'customer_advisories': 'Public statement denying large-scale breach, '
'confirming limited credential stuffing attack',
'data_breach': {'data_exfiltration': 'Alleged (disputed by PcComponentes)',
'number_of_records_exposed': '500,000 (sample); 16.3 million '
'claimed (disputed)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Moderate to High (PII exposed, but no '
'financial data or passwords)',
'type_of_data_compromised': ['Names',
'Postal addresses',
'IP addresses',
'Phone numbers',
'Product wishlists',
'Zendesk customer support '
'messages']},
'description': 'Spanish electronics retailer PcComponentes denied a '
'large-scale data breach after a hacker claimed the theft of '
'16.3 million customer records. The company confirmed a '
'credential stuffing attack with limited impact, far fewer '
"than the hacker's claim.",
'impact': {'data_compromised': 'Names, postal addresses, IP addresses, phone '
'numbers, product wishlists, Zendesk customer '
'support messages',
'identity_theft_risk': 'High',
'payment_information_risk': 'None (payment information not '
'stored)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Alleged (dataset offered '
'on underground forum)'},
'post_incident_analysis': {'corrective_actions': 'Mandatory CAPTCHA and 2FA '
'implementation',
'root_causes': 'Use of leaked credentials from '
'other breaches'},
'recommendations': 'Implement CAPTCHA and 2FA to prevent credential stuffing '
'attacks',
'references': [{'source': 'BleepingComputer'}],
'response': {'communication_strategy': 'Public statement denying large-scale '
'breach, confirming limited credential '
'stuffing attack',
'containment_measures': 'Mandatory CAPTCHA verification, '
'two-factor authentication (2FA) for all '
'future logins'},
'threat_actor': 'daghetiaw',
'title': 'PcComponentes Credential Stuffing Attack',
'type': 'Credential Stuffing'}