Threat Actor Claims to Sell a 110 GB Iberdrola Customer Database Affecting 7 Million Customers
Threat actor claims to sell 110 GB Iberdrola customer database affecting 7M Spanish customers.
Summary
A threat actor using the alias 'spain' claims to be selling a 109.79 GB database allegedly stolen from Iberdrola, Spain's largest electricity utility, containing records of approximately 7 million customers. The purported dataset includes sensitive personally identifiable information such as customer names, IBANs, national IDs (DNI/NIF/CIF), email addresses, phone numbers, addresses, tariff details, billing information, and customer photos. The claim remains unverified and has not been publicly acknowledged by Iberdrola, though the dataset's breadth and specificity pose significant risks for financial fraud, phishing, and identity theft if genuine.
Full text
Data7M customers / 110 GB PriceTelegram sale CountrySpain Actorspain ▣Post details TargetIberdrola (iberdrola.es) CountrySpain SectorEnergy / Electric Utility ClaimCustomer database offered for sale Data~7M customer records, 109.79 GB ObservedJun 1, 2026 PriceTelegram sale Actorspain (claims hacked by "RP") !Allegedly exposed 7M+ customer records (claimed) Customer names & account IDs IBAN bank account numbers National IDs (DNI / NIF / CIF) Email addresses & phone numbers Addresses (city, province, ZIP) Tariff, contract & power (potencia) data Billing & purchase totals Supply-point identifiers (CUPS) Customer photos & call records Screenshot Screenshot 1 Redacted preview ⚠Potential impact If genuine, a dataset of 7 million customers containing IBAN bank details, national IDs (DNI/NIF/CIF), emails, phone numbers, and addresses would be highly valuable for financial fraud, phishing, and identity theft at scale across Spain. Energy-account and supply-point details could also enable convincing, targeted scams against utility customers. As with any large "for sale" listing, the figures may be inflated or partly recycled from earlier breaches. iStatus Unverified A sample and a full column listing were posted to an underground forum, with the full dataset offered via a Telegram contact and escrow; the sample links, password, and contact identifiers are not reproduced here. The claim has not been independently confirmed and Iberdrola has not publicly addressed it. Want the non-redacted screenshots? Paid subscribers get all of the claim details and unredacted screenshots, check out the threat feed or ransomware feed. View pricing → DARK WEB INFORMER - THREAT INTELLIGENCE
Indicators of Compromise
- domain — iberdrola.es