In recent days, an alleged massive data breach at PcComponentes This has set off alarm bells throughout the Spanish technology sector. What began as a warning on specialized cybersecurity channels has become a case closely followed by clients, experts, and the media, with conflicting accounts between the alleged attacker and the company itself.
While a hacker claims to have accessed the database From the Murcia store and speaks of millions of affected users, PcComponentes maintains that There has been no intrusion into their systems And what we're seeing is the result of a credential stuffing attack using passwords leaked from other services. Amid this public outcry, the key question is what really happened and how users can protect themselves.
The origin of the alert: the hacker's claim of responsibility and Hackmanac's warning
The controversy begins when Hackmanac, a firm specializing in digital threats With a history of alerts about incidents at companies like Endesa or ING, it published a notification on January 20, 2026. In it, it warns that a threat actor calling itself «daghetiaw» He claims to have breached PcComponentes' systems.
According to that alert, the attacker claims to have data from approximately 16,3 million people related to the online store, all allegedly extracted from the company's database. The magnitude of the amount and the type of information described classify the incident as a high-impact cybercrime threat, although it is initially labeled as "pending verification".
To support his story, Daghetiaw himself allegedly posted on cybercrime forums, such as Breach Forums, a sample of 500.000 lines of informationThat portion of data would serve as a "free demonstration" before attempting to sell the complete package to the highest bidder or even use it as leverage against PcComponentes.
The initial analyses of this sample, which have been accessed by various specialized Spanish media outlets, point to a very broad and heterogeneous set of information, encompassing everything from basic identification data up to support records and details related to orders.
What the attacker claims to have: type of data and declared scope
In his public messages, the alleged perpetrator of the attack details that the The database would include personal and corporate information. of PcComponentes customers, collected over years of e-commerce activity. It's not just recent profiles: the sample has identified invoices from 2015, 2023 and other fiscal years, which suggests a long history of the records.
Among the fields that the hacker claims to have obtained are: names and surnames, NIF or DNI of the customers, as well as full postal addresses, postal codes, and contact information. This block of information would allow for the creation of a fairly accurate profile of each user, including their identity and approximate location.
Also cited Orders placed, invoices, shipment tracking numbers and elements directly related to the store's commercial activity. That is, what was purchased, when, for how much money, and how the shipment was processed. To this would be added the Zendesk tickets, the support system, which would open the door to reviewing communication histories between customers and customer service.
In the financial section, the claim refers to bank card metadataCard type, expiry date, and some additional details, although without explicitly mentioning the presence of full card numbers or CVV codes. Along with all of the above, the database would also contain user IP addresses and certain internal statistical information about their purchasing behavior.
Daghetiaw himself emphasizes that his objective would be monetize the dataseteither by selling it on black markets or using it as a means of extortion. This pattern coincides with other major recent incidents in Spain, such as those involving energy companies or public administrations.
PcComponentes' position: They deny an internal breach and point to credential stuffing.
In response to the attacker's account and Hackmanac's initial warnings, PcComponentes has released an official statement in which it denies that there was any unauthorized access to its servers or databases. Following an internal investigation, the company maintains that no evidence of intrusion has been detected in its infrastructure.
Instead of a classic gap, the company speaks of a credential stuffing attackThis type of threat relies on databases previously leaked from other websites or services, containing email addresses and passwords in plain text. Attackers use these lists and automatically try the same username and password combinations on multiple platforms, trusting that many users will guess correctly. They reuse the same password on different sites.
When this reuse occurs, it's possible for third parties to gain access to real accounts without directly compromising the security of the target company. According to PcComponentes, that's exactly what they've observed: unauthorized access to some customer accounts taking advantage of credentials previously exposed in leaks unrelated to the store.
The company also clearly questions the figure used by the attacker and disseminated on social media: it asserts that the 16 million affected customers do not match the number of active accounts which they maintain on their platform today, which would be "markedly lower." In any case, they acknowledge that there is a limited number of users whose data has been compromised through these unauthorized accesses to their accounts.
A central point of the official response is the insistence that They do not store bank details in their systems, and customer passwords are not stored in plain text either. Instead, payment information is managed through token usage that identify the transaction but do not allow the card to be reconstructed, and the access keys become encrypted and irreversible hashes.
Public contradictions: the hacker reappears and accuses the company of lying
The conflicting accounts didn't stop there. Following PcComponentes' statement denying the direct hack, Daghetiaw himself reappears online to respond to the company's claims. In a new message, it accuses the store of lying to your customers about what happened and claims to have solid evidence.
According to this new publication, the attacker would have reached access internal administration panelssupport systems and other critical company tools. To back up his claims, he allegedly released employee login credentials, screenshots of internal interfaces and more details that, in theory, would demonstrate its prolonged presence in the PcComponentes infrastructure.
Media outlets specializing in video games and technology, as well as portals focused on networks and telecommunications, have reported on this second round of leaks They claim to have contacted the company to find out what steps it plans to take following these new revelations. For now, the official response published by PcComponentes continues to focus on credential stuffing and the lack of conclusive evidence of a massive theft from its servers.
This situation creates a complex scenario for the user: On one hand, there are the detailed accusations of the alleged attacker; for another, the company's refusal to admit an internal breach and their insistence that it all stems from known external leaks. In any case, the practical risk of malicious use of this data exists if the package is actually in circulation.
Beyond the public dispute, the incident reopens the debate on how Spanish technology companies manage their operations. transparency, incident reporting and compliance with the General Data Protection Regulation (GDPR), which requires rigorous reporting when a security breach affecting personal information is suspected.
Potentially exposed data and real risks to customers
Although PcComponentes insists that Bank details and passwords have not been compromisedThe information that might be circulating in the hands of third parties is not exactly harmless. We are talking about names, surnames, ID or tax identification number, physical addresses and email addresses, phone numbers and IP addresses associated with the connections.
This type of data is perfect raw material for highly customized phishing attacksIf a cybercriminal knows what you've bought, when you bought it, and the shipping address, they can create much more believable messages than a simple generic email. A text message or email that mentions a real order and even includes the amount is far more likely to deceive the recipient.
Furthermore, with identity documents, contact information, and a consumption history, attackers can attempt impersonating the victims with other companies or services, from operators and banks to online platforms. They don't need to have your PcComponentes password for the risk to exist: often, a combination of personal data and well-honed social engineering techniques is enough.
Another obvious danger is that this entire information package will end up for sale on underground forumswhere different criminal groups can combine it with other existing leaks. By cross-referencing databases from various sources, extremely detailed profiles are built on millions of European citizens, multiplying the possibilities for fraud.
In this context, although the company emphasizes that The keys are stored as irreversible hashes And even though card numbers are not stored, the exposure of personal and commercial relationship data remains a significant problem for the privacy and security of users, both in Spain and in the rest of Europe.
Measures taken by PcComponentes to strengthen security
In response to the wave of concern and the possibility that some customers' accounts may have been compromised, PcComponentes has announced a series of technical measures to tighten access to the platform. The goal is to minimize the effectiveness of credential stuffing attacks and block automated attempts.
First, the company has activated a CAPTCHA required upon loginThis system seeks to distinguish humans from bots, making it more difficult for automated tools to try thousands of username and password combinations in a very short time.
Secondly, it has been decided to forcibly enable the Two-factor authentication (2FA)From now on, to access the account it will not be enough to enter the password: it will be necessary to confirm access using an additional code sent by email or another channel defined by the company.
Furthermore, PcComponentes has proceeded to Close all active sessionsThis forces all users to log in again under the new security conditions. This effectively ends any session that might have been compromised by previous unauthorized access.
The company claims that these actions allow significantly strengthen account protection and mitigate the risks arising from the use of leaked passwords on third-party platforms. In addition, it has committed to sending individualized communications to potentially affected customersexplaining the situation and the specific recommendations for each case.
Key recommendations for users in the event of a possible hack
Regardless of who is right in the clash of versions, experience shows that when talking about Multi-million dollar data leaks in EuropeIt is advisable to act with caution. Several media outlets and cybersecurity experts, as well as PcComponentes itself, have agreed on a series of measures that users should take as soon as possible.
The first one is very clear: change the password associated with the PcComponentes accountAnd not only there, but also in all those services where the same password or a similar variation is being used. Reusing passwords is, nowadays, one of the most common and, at the same time, most dangerous mistakes on the internet.
Secondly, it is essential Activate two-factor authentication Whenever possible, this should be implemented on PcComponentes, as well as on banks, email accounts, social media platforms, and other sensitive sites. This system adds an extra layer that can deter an attacker even if they manage to guess or steal the password.
It is also advised closely monitor bank transactions during the next few weeks and consider use a virtual cardAlthough the company emphasizes that it does not store card numbers, the presence of metadata and other personal data increases the likelihood of fraud attempts. For any unfamiliar charges, the wise course of action is to contact your financial institution as soon as possible.
Finally, there is consensus on something that sounds repetitive, but which takes on special importance in episodes like this: Exercise extreme caution with suspicious emails, SMS messages, or calls. They may impersonate PcComponentes or other companies. If a message mentions a real order and asks you to click on a link, enter passwords, or provide bank details, it's best to be suspicious, access the official website directly by typing the address into your browser, and check there for any issues.
This incident, whether or not confirmed as an internal breach by the company, brings the issue back to the forefront. How exposed are the personal data of millions of users? And to what extent everyday practices such as repeating passwords or trusting any message "that looks official" can open the door to major problems; the combination of previous leaks, techniques such as credential stuffing and increasingly sophisticated phishing campaigns paints a picture in which digital prudence ceases to be an abstract recommendation and becomes a daily necessity.
