Data 3.6 million customers on the street due to data breach Allekabels.nl

So writes Daniel Verlaan, tech journalist at RTL News. He accessed the dataset and called 30 random people to determine its authenticity.

IBAN numbers also captured

The database contains 2.6 million unique e-mail addresses. These are linked to a wide range of personal information, including names, dates of birth, home addresses, phone numbers and encrypted passwords. The remaining one million entries are from people who ordered something from Allekabels.nl via sales platforms such as Bol.com and Amazon. No e-mail addresses or passwords were leaked from the latter group. The IBAN numbers of about 109,000 Allekabels.nl customers were also stolen. This gives cause for great concern. With an IBAN number it is possible to commit identity fraud, for example if a company asks for this number to verify your identity. In addition, this bank account number is used for spearphishing attacks. If they supplement this with personal data captured through this hack, the scam is all the more credible.

Dataset offered for sale from 15,000 euros

Allekabels.nl sent a warning email to 5,000 customers last February. In it, the company wrote that an employee working from home had stolen the data. According to Verlaan, none of this reading is true. The tech journalist spoke with Chippy1337, a well-known figure in the hacking community. The hacker said he had hacked Allekabels.nl in August 2020. "They then found my backdoor. Allekabels has known about the hack ever since," he told RTL News. According to him, the company never responded to his emails. In late January, the attacker offered the database for sale on a hacker forum on the dark web. Interested parties could bid on the dataset starting at 15,000 euros. The ad was removed months ago, according to Verlaan, which most likely means the database was sold. According to the tech journalist, the data is being traded among cybercriminals, and the stolen data is being actively misused to send phishing messages and hack online accounts.

Supervisor: 'The damage could be substantial'

Constantijn Souren, operations director of Allekabels.nl, denies that he already knew about the theft of private data last year. He says his company tried to contact the attacker who offered the dataset for sale, but was unsuccessful. "This is a devastating blow to us as well," he says. The company is now investigating the matter internally. The Autoriteit Persoonsgegevens confirms that it has requested "information and documents" from Allekabels.nl about the case. "Allekabels is obliged to provide all requested information and documentation," a spokesman says. He calls it a serious matter. "If people do not know that their data may be in the possession of criminals, they cannot take any measures. Such as changing their password or blocking their credit card. The damage can then add up considerably."

'Informed all customers whose data was stolen'

Ethical hacker and security expert Ricky Gevers tells RTL News that this is the largest password data leak ever in the Netherlands. "The Allekabels leak is incredibly interesting and valuable to cybercriminals because of all the passwords and sensitive information," he says. Rik van Duijn, like Gevers an ethical hacker, thinks something is not right. Allekabels.nl has many customers who have a unique or customized e-mail address for the web shop. Van Duijn suspects that the retailer only informed customers who knew their data had been leaked at the Web store. "That would be a bad thing and that certainly seems like something for the Autoriteit Persoonsgegevens Authority to investigate." Allekabels.nl reveals that in February it informed all customers whose data had been stolen. Update: Allekabels.co.uk informs customers in an email that passwords can only be cracked from accounts created before Sept. 1, 2018. To "maximize protection of customers' interests," the retailer immediately deleted the passwords of duped customers. The company further warns that victims may be contacted by scammers in the coming period. "We are extremely shocked by this cyber hack and will thoroughly investigate the issue and take all necessary measures. We are doing everything we can to best protect the interests of you as our customers," Allekabels.nl ends its email. The cable vendor has posted an FAQ page online where it has answers to the most frequently asked questions.