Crook leaks 468k+ records, claims they pwned Portugal’s postal carrier

Data allegedly belonging to CTT, the operator of Portugal's national postal service, has leaked online, affecting hundreds of thousands of individuals. According to HaveIBeenPwned, which ingested the data, a little more than 468,000 unique email addresses were included in the vast data dump, along with full names, phone numbers, and parcel tracking codes that could be used to identify different locations along a package's journey. In 2026, many people now assume that their basic personal data has been included in a data breach or two, and that it can be bought online. However, when data breaches include details such as parcel tracking codes alongside basic personal information - the type that isn't typically part of every breach - it can provide cybercriminals with crucial information to conduct convincing phishing campaigns. Fake parcel emails and SMS messages become all the more convincing if the attacker behind them can persuade the target that they possess information only the spoofed organization could hold. The stolen data was leaked on April 27, according to cybercrime forum watchers, by a hacker calling themselves Boogeyman." HaveIBeenPwned confirmed the breach on Tuesday, putting the scale significantly below what Boogeyman had claimed weeks earlier. While the data types matched, the crook alleged over one million customer records were exposed, more than double the 468k+ verified by HaveIBeenPwned. In addition, the criminal claimed to have stolen technical data regarding the company's 24/7 postal lockers provided by its Locky brand. Supposedly included among these were locker configurations, private IPs, machine types, locker IDs, and backend versions. HaveIBeenPwned only summarised the consumer-related data, not the technical side of it, and The Register neither downloaded nor examined the raw data. To date, CTT has not publicly acknowledged the alleged cyberattack that led to the data breach. The Register approached the company for a statement but it did not immediately respond. (R)