Telefónica verifies a data breach after stolen data got leaked

January 14, 2025
Telefónica Spanish Telecommunication Provider Telco Dark Web Hackers Cyberattack

The Spanish telecommunication provider, Telefónica, confirmed in an advisory earlier this week that it became the subject of a recent data breach incident.

The advisory came after the breach of its internal ticketing system, which leaked the alleged database on a dark web hacking site. The affected entity is a Spanish multinational telecom business home to over 104,000 employees in at least twelve countries. Moreover, it is also one of Spain’s largest telecoms businesses.

Telefónica confirmed in one of its inquiries that its ticketing system suffered a compromise, which they are currently investigating. The company also revealed that its team is actively examining the scope of the incident and has taken all required actions to prevent unauthorised access to the system.

 

The data leak might have forced Telefónica to confirm the breach.

 

According to reports, the data breach confirmation comes after a Telefónica Jira database was disclosed on a hacker site. Four people using the aliases DNA, Grep, Pryx, and Rey claimed the breach.

One of the attackers explained that the telecom’s “internal ticketing system” is a Jira development and ticketing server that the organisation uses to report and resolve internal issues.

Further research has also shown that the system was accessed using compromised employee credentials earlier this week. On the other hand, after resetting passwords on affected accounts, the affected company has already blocked access to the stolen credentials.

The threat actors allegedly hacked employee accounts to scrape about 2.3 GB of documents, tickets, and miscellaneous information. While some of this data was tagged as client data, the tickets were opened using @telefonica[.]com email addresses. Hence, they might have been opened on behalf of customers.

Furthermore, the attacker claims they did not contact, make any negotiation with the company, or try to extort them before posting the information online. Researchers quickly pointed out that the three attackers were members of the recently launched Hellcat Ransomware operation.

Potentially affected parties of this recent leak should be wary of unsolicited communications. Other. Other cybercriminals that have already acquired the leaked data may use it for other purposes, such as phishing and social engineering campaigns.

About the author