2021 does not start off on the right foot in terms of hacking. In addition to the 11 million phone numbers leaked from Facebook users, now we must add that the personal data of more than 5 million Phone House customers have been leaked online just a few days after the hack was known .
The Have I Been Pwned website, which allows us to check if our email or phone number is in a data breach, added this morning the filtered Phone House database, with a total of 5,223,350 affected accounts , well over 1 or 3 million accounts that were initially discussed, where hackers themselves had said they had hacked “only” 3 million. The sad thing is that this is only the first part of the leak, so there will be more accounts affected at least.
Update: in total the data of 13 million people have been leaked, where 3 million are foreigners and 10 million are Spanish. At the moment the database published by the hackers is 5.2 million, but there are those who have already had access to the complete database with all the IDs of those affected. This means that around 1 in 4 Spaniards is in the leak.
The leak includes virtually all personal data
The attack took place using the Babuk ransomware , created by the homonymous group and which encrypted all the company’s data. In this process, they obtained all the information of clients and employees of the company. The attackers claimed that they managed to download 10 Oracle databases that include all the comprehensive data that the RPGD requires to collect.
Among these data we find full name, ID, date of birth, email, bank account, telephone number, gender, nationality, and physical address , with street, city and province. Samples of the database confirming the leak have been posted on Babuk’s blog on the Dark Web, including sample photos and the download link. The bank account seems to have only been affected if you have taken out insurance.
Given the large size of Phone House in Spain, a significant part of the population has been affected by this failure. In addition to your direct clients, clients who have contracted your insurance service through a subcontractor also appear in the database.
Phone House has yet to comment on the attack.
Phone House received a threat in which, if they did not pay the ransom, the data would end up published on the network. The company has not paid, and therefore they have been leaked. The company has not yet made any statement in this regard, and they should have already notified the Spanish Data Protection Agency (AEPD) of the leak, as the law requires them to do so in less than 72 hours . In addition, they should also communicate this to affected users and not have to resort to services such as Have I Been Pwned.
In my case, my data has been leaked because I had the happy idea of selling a mobile phone in one of their stores, having to fill in the data through the Internet. I didn’t even create an account, but it seems that that was not enough for them to collect my data and have ended up in the leak. Interestingly, I had another account registered with an email in which I only added my name, and that email is not in the data breach.
Therefore, if you want to check if you are affected, you just have to go to https://haveibeenpwned.com/ and put your email. Troy Hunt, who runs the website, has not yet said if he will add the phone numbers to verify them, as he did with Facebook. Since the numbers are ordered, it would not be unusual for you to add them later. According to him, 58% of the emails from the leak were already present on Have I Been Pwned.