A threat actor using the alias “daghetiaw” recently posted online claiming they had hacked PcComponentes, a major Spanish online electronics retailer, and stolen a huge customer database. According to those posts, the alleged database contained about 16.3 million records listing personal details of customers, including names, addresses, order histories and more — and a sample of around 500,000 records was shared to make the claim seem credible.
These posts quickly spread across social media and cybersecurity forums, prompting concern among PcComponentes customers and the wider tech community. Some reports even said financial information or payment card data might have been included, adding to the alarm.
PcComponentes’ Official Response
PcComponentes strongly denied that its systems were breached. In its statement, the company said that following an internal investigation by its security team, it found no evidence of unauthorized access to its databases or internal infrastructure. As a result, it insists that the widespread claim of a major data breach is false and misleading.
The company also disputed the scale of the claim, noting that the 16-million figure is inaccurate because the actual number of active customer accounts on its platform is significantly lower. It emphasized that the alleged breach and database sale do not reflect reality.
What Actually Happened: Credential Stuffing
Although PcComponentes denies an internal breach, the company did confirm that it observed what is known as a credential stuffing attack on its login systems.
Credential stuffing is a type of cyberattack in which bad actors take large lists of stolen usernames and passwords — typically harvested from breaches at other companies — and automatically try them on many different websites to see if any work. Since many people reuse the same login details across multiple accounts, this technique can let attackers gain access to some accounts even without breaking into the company’s systems directly.
PcComponentes explained that the suspicious activity it detected consisted of many automated login attempts using credentials that were likely obtained from external breaches or from machines infected with malware. In other words, attackers were trying combinations of email and password pairs to gain access to user accounts on the platform.
What Data Was Involved
According to PcComponentes, no financial information or actual passwords were stored on its systems in a form that could be accessed by attackers. The company said it does not retain full payment card details, and customer passwords are stored hashed — meaning they are converted into a secure, unreadable format.
However, for the small number of accounts that attackers may have accessed through credential stuffing, some basic personal information could be visible to whoever logged in. PcComponentes listed these possible data fields as names, addresses, contact details and national ID numbers where applicable — but stressed this was not due to a server breach.
Steps Taken and Recommendations
In response to the activity, PcComponentes implemented additional security measures such as CAPTCHAs on login pages, requiring two-factor authentication (2FA) for all accounts, and resetting active sessions. Customers without 2FA were required to enable it before accessing their accounts again.
The situation highlights the importance of good password practices — using unique passwords for each service and enabling 2FA wherever possible to guard against credential stuffing and other automated attacks.
