-
A dark web dealer says he has a database with records related to investors in Taiwan worth 6.5 million dollars, sharing sample data and listing the price as negotiable on an underground forum.
-
A similar 6.5 million record breach claim appeared in March 2025, involving a global financial website where attackers exploited an IDOR vulnerability to steal customer data.
-
Taiwan recently strengthened data protection laws, establishing an independent commission and requiring breach notifications within 72 hours, with fines up to NT$15 million for non-compliance.
A cybercriminal on a dark web forum has posted an advertisement claiming to possess a massive database belonging to Taiwan investors. The seller alleges the stolen information contains approximately 6.5 million lines of records.
The threat actor shared sample data as proof of the breach and listed the price as negotiable. The stolen files reportedly come in Excel format. The post did not specify which investment platform or stock trading company the data originated from.
Security researchers reveal that such large record claims on underground forums often come out through exaggeration, and sometimes, the criminals recycle data from older breaches. However, financial sector data breaches in Taiwan have occurred before; this recent claim is worth investigating.
Similar Breach Claim Involving 6.5 Million Records Surfaced
This new post closely resembles a March 2025 dark web listing. A cybersecurity report from S2W Inc. documented a BreachForums user named “BusinessMan” selling 6.5 million customer records from a global financial information website. The user indicated that they exploited an IDOR vulnerability to obtain these customer records, which included user IDs and email addresses.
The seller in the March 2025 dark web document provided a sample of the records that they obtained, along with their intention to offer up the records to the highest bidder. Stolen databases aren’t the only thing for sale on these forums; hackers have also been offering corporate network access and even physical airport access in recent dark web listings.
An IDOR, or Insecure Direct Object Reference, occurs when a web application does not validate whether a user has permission to access data.
Although no one officially identified the company involved in last year’s breached document, the number of stolen records closely matches what the new dark web seller is claiming to have. Cybersecurity experts warn that this could represent the same recycled dataset or a fresh breach of similar scale targeting Taiwan’s financial sector.
Taiwan Financial Sector Faces Rising Security Threats
Dark web monitoring reveals a pattern of attacks against Taiwanese financial platforms. In January this year, an analysis noted that approximately 550,000 customer records from a Taiwan-based investment firm appeared for sale on a Chinese hacking forum for $399, that leak included names, email addresses, phone numbers, and access logs.
In February 2026, another threat actor claimed to have compromised Taiwan’s largest car trading platform, dumping a complete database that likely affected hundreds of thousands of users. The attacker reportedly stated they specialized in data exfiltration and had already sold the packaged information.
In light of the heightened threat, the Taiwanese Financial Supervisory Commission (FSC) issued a NT$1.2 million fine to Jkopay after hackers accessed an old test server and obtained personal information of its customers. The commission found the company failed to implement proper testing environment management and lacked effective intrusion detection systems.
New Taiwan Data Protection Law Increases Breach Penalties
Taiwan has updated its Data Protection Act because of increasing problems with cybersecurity. The new Independent Personal Data Protection Commission will be responsible for monitoring compliance and enforcing this law. The revised act also requires organizations to notify affected individuals of any data breach within 72 hours.
Under the new PDPA, organizations that do not notify affected parties or fail to implement adequate security will be subject to fines between NT20,000 and NT15 million for each violation. Those who intentionally steal data with malicious intent will be subject to a maximum penalty of five years imprisonment and a fine of up to NT1 million.
The revised PDPA also gives the PDPC the authority to conduct administrative inspections of organizations and compel them to take remedial action. Non-governmental organizations must take prompt remedial action upon discovering a data breach and maintain records of all activities related to the breach for inspection by the PDPC.
Investors concerned about whether or not their data could appear on the dark web should closely monitor their financial accounts. Additionally, they should enable multi-factor authentication on all trading platforms, and they should also be on the lookout for phishing emails that may target them based on any stolen contact information.
