A threat actor on a dark web marketplace is claiming to sell millions of stolen records allegedly tied to two major telecom providers: Claro and Movistar. The attacker says the dataset includes sensitive identity and contact information of users from Peru. However, the breach claims are now under scrutiny, with Claro explicitly stating the data is fake and Movistar yet to issue a formal response.
The hacker posted a sample of what they say is a 15 million-record dataset from Claro Perú. Shared data fields include:
- ID card types and numbers
- Full names
- Email addresses
- Limited account-related data
Claro, owned by América Móvil, operates in 18 countries and serves millions of mobile, internet, and voice subscribers across Latin America and the Caribbean. Despite the scope of the claim, the company said that it found no indication of compromise.
“We have reviewed the information and can confirm that it is fake,” Claro’s information security team said.
Security experts warn that such listings are not always credible. It is common for attackers to recycle old data dumps, repackaging them as new incidents to attract attention or money from buyers.
Movistar Dataset Also Claimed in Alleged Leak
The same hacker also claims to possess data from Movistar, the telecom brand owned by Telefónica, which operates in Spain and Latin America. The attacker says the Movistar breach affects nearly 21 million users.
Reported data includes:
- Phone numbers
- Full names
- ID card types and numbers
However, questions were raised soon after the post went live. The dataset was initially labeled as Spanish but was quickly identified by forum users as originating from Peru. These inconsistencies, along with the lack of verification from Movistar, have cast doubt over the accuracy of the claims.
Movistar has not yet responded to requests for comment.
Attacker Also Claims U.S. Social Security Data Leak
In a separate listing, the same threat actor claims to be selling data of 11 million U.S. citizens. This dataset allegedly includes:
- Social Security Numbers
- Full names
- Home addresses
- Phone numbers
- IP addresses
- Dates of birth
- Driver’s license information
- Monthly income
Still, there’s no confirmation this dataset stems from a new breach. A researcher noted:
“The threat actor never explicitly claims this is from a recent breach, which raises a red flag. It’s entirely possible this is an old data dump being recycled for attention.”
Enterprises monitoring dark web activity should note the growing trend of recycled data being used in misleading posts, often mixing accurate but old information with unverifiable claims to appear legitimate.
