Online Retailer PcComponentes Says Data Breach Claims Are Fake

The Spanish e‑commerce platform PcComponentes recently found itself at the centre of a high‑profile data‑leak controversy. A hacker group called ‘daghetiaw’ posted a file they claimed contained 16.3 million customer records and offered the remainder for sale. PcComponentes quickly responded, stating that no unauthorized access to its databases had occurred and that the 16‑million figure was inflated. While the company dismissed the massive breach, it confirmed a credential‑stuffing campaign that compromised a small subset of accounts, exposing names, addresses and contact details.

Security analysts traced the credential‑stuffing operation to credential lists harvested by infostealer malware on compromised PCs dating back to 2020. Attackers reused these leaked usernames and passwords in automated login attempts, exploiting the common habit of password reuse across services. PcComponentes’ investigation uncovered dozens of verified email‑password pairs that matched known infostealer logs, confirming the attack’s origin. In response, the retailer deployed CAPTCHA challenges on its login page, forced two‑factor authentication for all users, and terminated every active session to block lingering threats.

The incident underscores a growing challenge for online retailers that handle high traffic volumes and large user bases. Credential‑stuffing attacks bypass traditional perimeter defenses, making multi‑factor authentication and behavioural safeguards essential components of a modern security stack. PcComponentes’ swift rollout of mandatory 2FA and session invalidation serves as a practical playbook for peers facing similar threats. For consumers, the episode reinforces the need for unique, strong passwords and the use of password‑manager tools to mitigate the risk of cross‑site credential leakage.