On November 11, 2024 a hacker known as Gatito_FBI_NZ published an extensive pack of data they leaked from BBVA Bank of Peru. It includes extensive information related to bank transactions, including personal information about bank customers. The hacker asks no money, offering access to all the leaked info right away.
BBVA Hacked, Transaction Data Leaked on the Darknet
The BBVA Bank leak published by Gatito_FBI_NZ consists of a huge number of tables that contain well-structured data about transactions that the bank has handled. Timespan of the leak includes records of the last several months, and contains cardholder names, location of transactions (down to the establishment where the payment was made), date, card status and also some internal codes.
One more detail that should concern the clients of the bank (and BBVA themselves, obviously) is that the hacker also shares usernames and passwords for admin accounts of the bank technical pages. Sure enough, the bank infrastructure admins will change them pretty soon, but this is pretty demonstrative for Gatito_FBI_NZ really having access to the network. This is also confirmed by the screenshots of internal interfaces with corresponding data displayed on them.
In the publication, the hacker also mentioned “a vulnerability”, which potentially is the short explanation of how they get into the bank’s internal network. Though, there is no details on which exact flaw was used; the word may simply be misused, considering the rest of the message.
It is rather strange that the attacker asks nothing for such a data chunk. It is typical for cybercriminals to dispose of less important info they’ve got from a hack, creating additional pressure on the attacked company. This may actually be the case in this attack: the guy did not find anything special in the BBVA Bank data and decided to make it a public domain. Whether they had their hands on actually important data – this we did not know.
Is there a risk for BBVA bank clients?
With such a massive data leak, especially considering that it is readily available to the public, there can and would be attacks based off of it. Mainly they’d revolve around email, SMS and voice phishing scams, or, in certain cases, attempts to charge a bank account. This gives us enough info to give you precaution advice: follow them for a few months, and the risks will decrease significantly.
- Any offers that are too good to be true are not true. If someone offers you a tempting deal and it looks like they know you, you’d better check all things twice before sticking to that offer. With the information from databases, adversaries can understand your habits and thus prepare a well-disguised targeted attack.
- Track your bank transactions. Having this much information directly from the bank, fraudsters can try using it to charge customers’ accounts. There are ways to get card numbers and other identifiers, which is enough to initiate a transaction. If there is any suspicious activity – order to suspend the account and revert the unknown transactions.
- Treat all the phone calls, emails and SMS from the bank with extra caution. The most obvious trick frauds may try to pull is to contact people saying there’s something wrong with their BBVA bank account. Typically, they push users into sharing security codes, which grant them access to the account and all the funds. Double-check phone numbers and email addresses that contact you about this matter, and never share security codes with anyone who asks for it – they are only for your sign-in operations.
