Spanish Retailer PcComponentes Refutes Breach Claims, Confirms Large-Scale Credential Stuffing Attack

Executive Summary

PcComponentes, a major online technology retailer in Spain, has publicly refuted allegations of a system breach after a threat actor named 'daghetiaw' claimed to have stolen and was selling a database of 16.3 million customer records. The company's internal investigation found no evidence of unauthorized access to its core databases. Instead, PcComponentes identified the activity as a large-scale credential stuffing attack. This involves automated attempts to log into accounts using username and password combinations leaked from previous breaches at other companies. While customer passwords and financial data were not compromised from PcComponentes' systems, personal data from accounts with reused passwords was accessed. To mitigate the threat, the company has enforced mandatory two-factor authentication (2FA) for all accounts and logged out all users to force a secure re-authentication.

Threat Overview

The incident was initiated by a threat actor, 'daghetiaw,' who posted on a hacking forum claiming to possess a database of 16.3 million PcComponentes customers. The actor offered a sample of 500,000 records to prove the claim, which included full names, tax IDs, addresses, phone numbers, and IP addresses.

PcComponentes' investigation determined this was not a direct breach of their infrastructure but an account takeover (ATO) campaign via credential stuffing. The attack likely unfolded as follows:

1. Acquisition of Credentials: The attacker obtained large lists of usernames and passwords from previous data breaches at unrelated services.
2. Automated Login Attempts: Using automated tools, the attacker systematically tried these stolen credentials against the PcComponentes login portal.
3. Account Takeover: For every successful login, where a user had reused the same password on PcComponentes, the attacker gained access to the account.
4. Data Scraping: The attacker then scraped the personal information stored within the compromised user accounts, including names, contact details, and addresses.
5. Monetization Attempt: The aggregated data was compiled into a database and put up for sale.

This attack highlights the pervasive risk of password reuse across different online services.

Technical Analysis

This incident is a classic example of a credential stuffing attack, a subset of brute-force attacks.

• Attack Technique: The primary technique is T1110.003 - Credential Stuffing. This relies on the high probability that users reuse passwords across multiple sites. Threat intelligence firm Hudson Rock suggested the credentials may have been sourced from info-stealer malware logs.
• Exposed Data: The data exposed was limited to what is available in a user's profile on the PcComponentes website. This included names, ID numbers, addresses, IP addresses, and phone numbers. Crucially, PcComponentes stated it does not store full financial details or user passwords in a recoverable format.
• Attacker Infrastructure: The attack likely involved a botnet or a network of proxy servers to distribute the login attempts and bypass simple IP-based blocking.

Impact Assessment

Although not a direct breach of PcComponentes' core systems, the impact on affected customers is significant:

• Privacy Violation: The exposure of personal information like names, addresses, and phone numbers can lead to targeted phishing, smishing, and other social engineering attacks.
• Identity Theft: The combination of name, address, and tax ID number (if provided) can be used for identity fraud.
• Reputational Damage: While PcComponentes' core security may have held, the incident can erode customer trust and highlights the need for proactive user security measures.
• Operational Cost: The company incurred costs for investigation, public relations, and the forced implementation of enhanced security measures like mandatory 2FA.

Detection & Response

PcComponentes' response demonstrates best practices for handling a credential stuffing attack:

1. Forced Session Invalidation: By invalidating all active sessions, the company immediately ejected any unauthorized actors from compromised accounts.
2. Mandatory 2FA: Enforcing two-factor authentication is the single most effective control against credential stuffing, as a password alone is no longer sufficient for access. This aligns with M1032 - Multi-factor Authentication.
3. CAPTCHA Implementation: Adding CAPTCHA to the login page helps to thwart the automated tools used in these attacks.
4. Public Communication: The company proactively communicated the nature of the attack, corrected misinformation about a 'breach,' and guided users on securing their accounts.

Organizations can detect such attacks by monitoring for high volumes of failed login attempts from disparate IP addresses and sudden spikes in successful logins for accounts that have been dormant. User behavior analysis (D3-UBA) can help identify anomalous login patterns.

Mitigation

Users and organizations can take several steps to mitigate the risk of credential stuffing:

• For Users:

  1. Unique Passwords: Never reuse passwords across different websites. Use a password manager to generate and store strong, unique passwords for every account.
  2. Enable 2FA: Always enable two-factor or multi-factor authentication whenever it is offered.

• For Organizations:

  1. Implement MFA (M1032 - Multi-factor Authentication): Offer and encourage (or mandate) MFA for all user accounts.
  2. Monitor Login Activity (M1040 - Behavior Prevention on Endpoint): Implement tools to detect high-frequency login attempts, impossible travel scenarios, and other indicators of automated attacks.
  3. Password Policies (M1027 - Password Policies): Block the use of common or previously breached passwords by checking new passwords against a known-breached list.