PcComponentes data breach claim: retailer cites credential stuffing

PcComponentes is pushing back hard on “database breach” headlines, while still confirming something customers should care about: a credential stuffing attack that led to unauthorized access to some user accounts and exposure of personal data. That mix, “not breached” but “accounts accessed,” is exactly how reused passwords turn into breach-like fallout.

The spark for all this was a dark web-style claim that a threat actor is selling a PcComponentes dataset. The retailer says its internal systems were not hacked, but it has rolled out tougher login defenses, including making PcComponentes 2FA mandatory, which tells you the account-compromise risk was real enough to warrant immediate lock-down.

What’s being claimed vs. what PcComponentes says happened

Here’s the claim: a threat actor using the alias “daghetiaw” says they have an archive tied to PcComponentes containing about 16.3 million records and is offering it for sale. TechRadar reports that this allegation is what fueled the “breach” narrative in the first place.

Here’s PcComponentes’ version: it denies that its internal systems or customer database were breached. Instead, it says attackers used credentials leaked from other services to try logging into PcComponentes accounts, a classic credential stuffing attack. BleepingComputer reported that the company called the breach claims fake and framed the incident as account access driven by reused passwords.

That doesn’t automatically mean “nothing happened.” Credential stuffing can still lead to real account takeovers, and once an attacker is in your account, they can often pull profile data, change delivery addresses, or place orders. It can look like a breach from the customer’s perspective even if the retailer’s core database was never directly exfiltrated.

There’s also a scale fight. PcComponentes disputes the headline number, saying the “16 million affected” figure is false and that its active accounts are significantly lower. CSO Online quotes the company making that point directly. What we do not have, and this is the key coverage gap, is an independently verified count of how many accounts were actually accessed successfully.

What data could be exposed in a credential stuffing takeover

PcComponentes’ own incident description focuses on personal data that could be viewed or extracted from compromised accounts. The company lists these categories: name, surname, DNI (if the customer provided it), address, IP, email, and telephone number. That’s not “just marketing info.” That’s the bundle criminals use for targeted phishing, identity fraud attempts, and convincing social engineering.

Why this matters in practice: if someone has your full name, email, phone number, and address, they can impersonate you in customer support chats, craft shipping scam messages that look accurate, or attempt account recovery elsewhere. If DNI is in the profile, that raises the stakes because it can be used to strengthen fraudulent applications or bypass weaker verification flows.

On payments, PcComponentes says bank or card data was not compromised and it does not store bank details, only a payment security token or code. That’s a big difference from a retailer storing full card numbers. It lowers the chance of direct card theft, but it does not eliminate fraud risk, because attackers who get into an account can still try to place orders, change addresses, or abuse stored checkout conveniences depending on what the account allows.

What PcComponentes changed, and what you should do now

PcComponentes’ response is consistent with an account-compromise scenario: reported mitigations include adding CAPTCHA at login, invalidating active sessions to force re-login, and rolling out mandatory 2FA. Those moves make credential stuffing harder (CAPTCHA), kick out anyone who is already logged in (session invalidation), and reduce the value of a stolen password (2FA).

If you have a PcComponentes account, treat this like an account takeover risk, not a theoretical headline. Do these steps today:

• Change your PcComponentes password to something unique, not a variation of an old one. If you reused that password anywhere else, change it there too.
• Complete the mandatory 2FA setup and keep your recovery options updated.
• Review your account profile details, especially shipping addresses, phone number, and email, then check order history for anything you do not recognize.
• Watch for phishing that references PcComponentes orders, refunds, delivery problems, or “account verification.” Real attackers will use the personal details they got to make messages feel legit.
• Consider a password manager so “unique passwords everywhere” is actually doable, and run an audit for reused credentials across major retailers.

The bigger takeaway is simple: “no internal breach” does not mean “no risk.” Credential stuffing is preventable at the user level with unique passwords and 2FA, and retailers are increasingly forced to react fast with friction like CAPTCHA and mandatory 2FA when attackers start successfully logging in.

If you reuse passwords, this is the nightmare scenario. Your favorite retailer can do everything right on its own servers, and you still get burned because credentials leaked somewhere else become the master key.