PcComponents under the look of rumours of filtration and the threat of reused credentials

An actor identified on the network with the alias "daghetiaw" claimed to have published a database of PcComponents customers with more than 16 million records, and leaked a sample of half a million entries while offering the rest for sale. The alleged leak included from order details and physical addresses to full names, phone numbers, IP addresses, wish lists and support conversations managed through Zendesk, according to the sample that circulated in forums. The alarm was immediate among online store users and in the specialized press who began to follow the case and ask about the actual scope of the incident ( BleepingComputer).

However, PcComponents has rejected that their infrastructure has suffered from direct illicit access. In an official statement the company states that, after reviewing its systems, there were no signs of intrusion into its internal databases or internal systems and that the figure of 16 million accounts concerned does not correspond to the number of active accounts they handle. In addition, the firm stresses that it does not store in its systems financial data or passwords in flat text, and that the amount of accounts actually committed is much lower than the attacker claims ( Official communiqué of PcComponents).

Despite this denial of a direct intrusion, the company did confirm that it had detected a credimentary stuffing attack against its platform. In this type of campaign, attackers automate access attempts using combinations of emails and passwords obtained from leaks or stolen by malware; the idea is to take advantage of the extended custom of reusing credentials in various services. PcComponents recognized that there were massive attempts to access with credentials collected in other leaks and that, in some cases, these attempts led to access to specific accounts.

The investigation of threat intelligence signatures provided more context: Hudson Rock, who analysed the examples spread by the malicious actor, found that the emails present in the sample coincided with infostealers - malware records designed to steal credentials and other data from the infected computer - some of them with traces that dated even from 2020. Hudson Rock explains how infostealers records allow to mount very convincing credimentary stuffing attacks because they reproduce effective credentials obtained in other incidents ( Hudson Rock analysis).

According to PcComponents itself, the information that could be compromised in a small number of accounts includes name and surname, national identification number, addresses, IP addresses, e-mails and phones. The company has pointed out that it did not detect mass extraction of databases from its systems, but rather specific access associated with the abuse of reused credentials.

As an immediate response, the platform has activated a battery of technical measures: implementation of CAPTCHA in access forms to make it difficult to automate, forced to close all active sessions and imposed the use of double factor authentication (2FA) to be able to relog in. Affected users will see how their sessions are disconnected and, if they did not have 2FA, they will be required to set it up before they recover access. In addition, the company recommends using unique and robust passwords and using password managers to avoid reuse.

The story illustrates two important points about cybersecurity: on the one hand, that not all public disclosure of data necessarily implies an internal gap of the supplier; on the other, that the widespread practice of using the same password in multiple services is one of the simplest ways for a theft of credentials in a different place to lead to unauthorized access to a trade account. In order to understand the mechanics of these attacks in more detail, there are technical explanations and guides on credental stuffing that are useful, for example in the disclosure documentation of Cloudflare ( Cloudflare: Creative stuffin).

If you are concerned about the security of your account with PcComponents or any other online service, the practical recommendation is simple but effective: change passwords that you have reused, activate authentication in two steps as long as it is available and monitor strange movements in your communications and bank accounts. In addition, it is appropriate to check whether your mail has appeared in known leaks by means of credentials reputation services and to activate access notices when the platform allows.

In this particular case, several specialized means asked for more precise figures from PcComponents on the number of accounts concerned and the details of the investigation, but at the time of writing there was no additional public response to clarify the exact scope. It remains to be seen whether the filtered samples come in their entirety from accounts committed by credential stuffing from infostealers records or whether, as the company maintains, part of the information has been reclassified or discontextualized by the author of the filtration.

In the meantime, the situation serves as a reminder: platforms can strengthen their controls, but the first line of defence remains in user practices. Unique passwords, key managers and 2FA activation greatly reduce the likelihood that a similar incident will end up with undue access to personal accounts.