"Data allegedly belonging to CTT, the operator of Portugal's national postal service, has leaked online, affecting hundreds of thousands of individuals. According to HaveIBeenPwned, which ingested the data, a little more than 468,000 unique email addresses were included in the vast data dump, along with full names, phone numbers, and parcel tracking codes that could be used to identify different locations along a package's journey."
"In 2026, many people now assume that their basic personal data has been included in a data breach or two, and that it can be bought online. However, when data breaches include details such as parcel tracking codes alongside basic personal information - the type that isn't typically part of every breach - it can provide cybercriminals with crucial information to conduct convincing phishing campaigns."
"Fake parcel emails and SMS messages become all the more convincing if the attacker behind them can persuade the target that they possess information only the spoofed organization could hold. The stolen data was leaked on April 27, according to cybercrime forum watchers, by a hacker calling themselves "Boogeyman.""
"HaveIBeenPwned confirmed the breach on Tuesday, putting the scale significantly below what Boogeyman had claimed weeks earlier. While the data types matched, the crook alleged over one million customer records were exposed, more than double the 468k+ verified by HaveIBeenPwned. In addition, the criminal claimed to have stolen technical data regarding the company's 24/7 postal lockers provided by its Locky brand."
Data linked to CTT, Portugal’s national postal service operator, has leaked online and includes hundreds of thousands of individuals’ information. HaveIBeenPwned reports 468,000-plus unique email addresses with full names, phone numbers, and parcel tracking codes. Parcel tracking codes can help attackers craft convincing messages that appear to come from the legitimate postal organization. Fake parcel emails and SMS become more persuasive when attackers can claim access to information only the spoofed organization would hold. The data was leaked on April 27 by a hacker using the name “Boogeyman.” HaveIBeenPwned confirmed the breach and found a smaller scale than the hacker claimed. The hacker also alleged theft of technical data for Locky 24/7 postal lockers, including configurations and backend details, though only consumer data was summarized publicly.
Read at theregister
Unable to calculate read time
Collection
[
|
...
]