Search TorWire

Find cybersecurity guides and research articles

Home > News > Cybersecurity > Threat Actor Claims to be Selling Alleged Monday.com 300K User Records

Threat Actor Claims to be Selling Alleged Monday.com 300K User Records

By: Morgan Cipher Senior Privacy Journalist

Last updated: July 8, 2026

Human Written
Threat Actor Claims to be Selling Alleged Monday.com 300K User Records
  • A threat actor claims to have a database allegedly linked to Monday.com containing more than 300,000 user records up for sale.

  • The advertised sample reportedly includes personal details, account information, authentication fields, and organizational data from several countries.

  • Monday.com has not confirmed any breach, and researchers have not independently verified the authenticity of the alleged dataset.

A threat actor allegedly listed a database tied to workplace collaboration platform Monday.com for sale on a cybercrime forum. The claim surfaced through the cyber threat intelligence account Dark Web Informer.

Dark Web Informer shared the listing on X after spotting an underground forum post advertising what the seller described as a Monday.com database. The threat actor claimed the archive contains more than 300,000 unique user records.

Threat Actor Claims Database Contains User and Organization Records

According to Dark Web Informer, the sample includes names, email addresses, phone numbers, account identifiers, and account names. It also references subscription plans, product categories, user roles, and geographic information. The advertised records reportedly contain countries, time zones, account status details, creation dates, and update timestamps. Authentication-related fields also appear throughout the sample.

Those fields allegedly include login information, password hash entries, single sign-on (SSO) indicators, and multi-factor authentication (MFA) status. The dataset also references organizations using the collaboration platform. The visible records appear to include organizations and users from France, Spain, Italy, Germany, Portugal, the United Kingdom, and the United States.

Despite the extensive information shown in the sample, Dark Web Informer stressed that the listing remains an unverified claim. The threat intelligence account did not state that Monday.com had suffered a confirmed breach.

That distinction remains important. Cybercriminals frequently advertise databases without proving their origin. Some actors exaggerate the value of stolen information to attract buyers. Others recycle data from previous incidents and market it as newly obtained.

Security Experts Points at Factors Behind the Growth in Security Risks

Even though there is no verification for the listing, security professionals won’t stop looking into posts that point to information leaks. Those details can increase the value of stolen datasets for cybercriminals. Login identifiers, SSO configurations, MFA indicators, and user roles can help attackers identify valuable accounts. 

Password Hashes do not expose passwords in plain text. However, attackers sometimes try offline cracking tactics against weak or outdated algorithms. If criminals successfully recover passwords, they may attempt credential stuffing attacks against other services. Those who use one password on every platform are even more at risk. 

For Subscription information, bad actors can use it to create convincing emails that resemble legitimate customer accounts. Thanks to the actual business details that bad actors use. They can also take advantage of organizational information when launching business email compromise (BEC) campaigns.

The value of such data is evident in other dark web listings, where a threat actor recently claimed a massive Bet365 data breach with stolen records offered for sale. They frequently impersonate trusted colleagues, vendors, or platform administrators to deceive employees. 

Monday.com Users Should Monitor Accounts while Waiting for Confirmation

Given the nature of this event, the platform advises users to avoid any assumptions. Instead, they should stay alert until the news is confirmed. They also advised that security teams should watch for unusual login attempts, unexpected account activity, and phishing emails. For organizations, multi-factor authentication should come in handy.

Employees should carefully verify unexpected requests involving credentials, password resets, or account verification. These bad actors often take advantage of the uncertainty surrounding alleged breaches. Avoid links in any fishy emails. If you must visit Monday.com, go directly to its official website.

At the moment, cybersecurity researchers are treating the forum post as an unverified claim. There’s no independent confirmation, and no announcement from Monday.com about having victims. Until investigators verify the dataset on air or the company releases an official statement, the listing should remain an allegation circulating on a cybercrime forum.

Share this article

About the Author

Morgan Cipher

Morgan Cipher

Senior Privacy Journalist

Morgan combines a journalist’s curiosity with a security specialist’s precision. His reporting on data breaches, privacy laws, and encryption tech has been featured in several tech publications. At TorWire, he focuses on real-world threats and how to counter them, always with an eye on what’s next in digital privacy.

Comments (0)

No comments.