-
A threat actor claims to be selling a database linked to a Spanish gas company containing about 555,000 customer records.
-
The advertised data allegedly includes names, phone numbers, email addresses, and IBAN banking details.
-
Researchers have not independently verified the authenticity of the database or the claims surrounding its origin.
A threat actor has allegedly listed a database belonging to a Spanish gas company for sale on a cybercrime forum, raising concerns about the potential exposure of hundreds of thousands of customers’ personal and financial information.
According to information shared by Daily Dark Web Intelligence on X, the seller claims the database contains approximately 555,000 records. The advertised dataset reportedly includes customer names, surnames, phone numbers, email addresses, and International Bank Account Numbers (IBANs).
The listing has attracted attention because of the volume of records involved and the sensitivity of the information allegedly included. However, neither Daily Dark Web Intelligence nor independent cybersecurity researchers have confirmed the authenticity of the claims at the time of publication.
Threat Actor Claims Data Came From System Vulnerability
The threat actor promoted the database on a cybercrime forum and described the records as newly obtained customer information. According to the seller, the dataset has not previously appeared on underground marketplaces or public leak sites.
The individual behind the listing also claims to have acquired the information by exploiting a vulnerability within the targeted company’s systems. The seller further alleges that the database remains private and has not been distributed to other parties.
Cybersecurity researchers frequently warn that criminals operating on underground forums often exaggerate the quality, size, exclusivity, or source of stolen data to attract buyers. As a result, organizations and security analysts typically require independent verification before confirming the legitimacy of such claims.
A screenshot accompanying the listing appears to reveal part of the database structure. The advertised records allegedly contain identification numbers, document types, customer names, phone numbers, email addresses, banking details, bank names, province information, localities, and postal codes.
If authentic, the combination of personally identifiable information and banking-related data could make the database particularly valuable within cybercriminal communities.
The seller also claims the database contains around 555,000 unique customer records. According to the forum post, the actor may consider exclusive access arrangements, although the data could also be sold to multiple buyers. Threat actors commonly use such sales tactics to generate urgency and increase buyer interest.
Customer and Banking Information Could Fuel Fraud Attempts
Security experts note that cybercriminals can use datasets containing financial identifiers and personal information for a wide range of fraudulent activities.
Although an IBAN alone does not typically provide direct access to a bank account, attackers can combine it with names, email addresses, phone numbers, and location details to launch highly targeted scams.
Fraudsters often use this type of information to impersonate legitimate companies and contact victims through email, phone calls, or text messages. These communications may attempt to trick customers into revealing passwords, authentication codes, payment details, or other sensitive information.
Attackers could also leverage the records to conduct account verification scams, fake billing schemes, or fraudulent payment requests designed to appear legitimate.
Phone number exposure is a growing concern in data breaches. Integra Credit recently had 134,000 customer phone numbers exposed, highlighting how this information can be weaponized for smishing and vishing attacks.
The presence of detailed customer information may further increase the effectiveness of phishing campaigns. Criminals frequently personalize messages with accurate personal details to make their communications appear trustworthy and convincing.
Such attacks can lead to credential theft, unauthorized account access, financial losses, and additional exposure of personal information.
Authenticity Remains Unverified
Beyond phishing and fraud risks, the dataset could also support broader social engineering operations. Criminals often combine multiple pieces of personal information to create detailed victim profiles, allowing them to carry out more sophisticated impersonation attempts.
Customer names, phone numbers, geographical information, and banking-related details can significantly improve an attacker’s ability to deceive potential victims.
Despite the concerns raised by the listing, no public evidence currently confirms that the advertised database is genuine. The identity of the Spanish gas company allegedly affected also remains unknown.
Daily Dark Web Intelligence stated that it has not independently validated the claims made by the seller. As with many dark web advertisements, experts advise treating the information cautiously until the affected organization or independent researchers verify the data.
If confirmed, the incident would underscore the continuing threat posed by data breaches targeting critical service providers and highlight the risks associated with exposing customer and financial information to cybercriminals.
