Executive Summary
In June 2024, Spanish online retailer PcComponentes confirmed that its systems were targeted by a large-scale credential stuffing attack. While the company denied reports of a data breach affecting 16 million customers, it acknowledged that threat actors attempted to use previously leaked credentials to gain unauthorized access to customer accounts. No evidence of infrastructure compromise or mass data exfiltration was found, and PcComponentes’ internal investigation revealed that protective measures limited the attack’s impact.
This incident highlights the ongoing challenges facing retailers from credential-based attacks, emphasizing the importance of stronger identity and access controls. The surge in credential stuffing campaigns reflects broader trends in attacker automation and customer credential reuse across online services.
Why This Matters Now
Credential stuffing attacks are increasing in both volume and sophistication worldwide, exploiting password reuse across online platforms. With regulatory scrutiny rising and consumer trust at stake, organizations must act urgently to implement robust multi-factor authentication, continuous threat monitoring, and customer education.
Attack Path Analysis
Attackers initiated their campaign by performing credential stuffing attacks against PcComponentes accounts, leveraging previously breached usernames and passwords. There was no clear evidence of successful privilege escalation, but compromise of standard user accounts was possible. Internal pivoting across workloads was unlikely given retail user account scope and a lack of escalated controls. No clear indicators of persistent Command & Control, though automated login attempts could have included botnet orchestration. Data exfiltration was a possible risk if customer accounts contained sensitive information and defenses lacked egress controls. The ultimate impact appears limited to customer account integrity and potential exposure, with no verified breach of core organizational assets.
Kill Chain Progression
Initial Compromise
Description
Attackers used large-scale credential stuffing attacks, attempting to access user accounts by submitting stolen username/password pairs against public-facing authentication endpoints.
Related CVEs
CVE-2025-57815
CVSS 6.5Fides versions prior to 2.69.1 lack sufficient rate limiting on authentication endpoints, allowing attackers to perform credential stuffing attacks, potentially leading to unauthorized access.
Affected Products:
Ethyca Fides – < 2.69.1
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Techniques are mapped for incident enrichment and can be further expanded with detailed STIX/TAXII feeds if needed.
Brute Force: Credential Stuffing
Valid Accounts
Account Discovery
Modify Authentication Process: Multi-Factor Authentication
Brute Force: Password Guessing
Exploit Public-Facing Application
Gather Victim Identity Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-factor authentication for all access to the CDE
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Phishing-resistant Authentication
Control ID: Identity Pillar: Authentication and Access
NIS2 Directive – Incident Prevention & Access Control Measures
Control ID: Article 21(2)(d)
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
Major vulnerability to credential stuffing attacks targeting customer databases, requiring enhanced egress security and zero trust segmentation for consumer data protection.
Computer Software/Engineering
High exposure to credential attacks on development systems, necessitating multicloud visibility controls and encrypted traffic protection for intellectual property safeguarding.
Information Technology/IT
Critical need for threat detection capabilities and east-west traffic security to prevent lateral movement following successful credential compromise incidents.
Financial Services
Elevated risk from credential stuffing impacting payment systems, requiring inline IPS protection and strict policy enforcement for regulatory compliance maintenance.
Sources
- Online retailer PcComponentes says data breach claims are fakehttps://www.bleepingcomputer.com/news/security/online-retailer-pccomponentes-says-data-breach-claims-are-fake/Verified
- PcComponentes niega una brecha de ciberseguridad y apunta a un ataque de tipo 'credential stuffing'https://www.infobae.com/america/agencias/2026/01/21/pccomponentes-niega-una-brecha-de-ciberseguridad-y-apunta-a-un-ataque-de-tipo-credential-stuffing/Verified
- Credential theft has surged 160% in 2025https://www.itpro.com/security/cyber-attacks/credential-theft-has-surged-160-percent-in-2025Verified
- Credential stuffinghttps://en.wikipedia.org/wiki/Credential_stuffingVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Inline zero trust controls including segmentation, egress policy enforcement, and inspection could have limited attackers to only the accounts they gained access to, prevented internal pivoting, and alerted on data exfiltration attempts, minimizing both spread and impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Credential brute force attempts could be detected and throttled at the network edge.
Control: Zero Trust Segmentation
Mitigation: Limits compromised account blast radius and prevents unauthorized privilege escalation.
Control: East-West Traffic Security
Mitigation: Internal movement is detected and blocked across segmented workloads.
Control: Multicloud Visibility & Control
Mitigation: Abnormal connection patterns and automation detected.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exfiltration is detected and blocked.
Ensures any intercepted data remains unintelligible.
Impact at a Glance
Affected Business Functions
- Customer Accounts
- E-commerce Transactions
Estimated downtime: 2 days
Estimated loss: $50,000
Potential exposure of customer names, email addresses, and partial payment information due to unauthorized account access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement distributed credential abuse detection at the network edge to block high-velocity credential stuffing.
- • Enforce zero trust segmentation and least privilege identity-based policies to constrain compromised account risk.
- • Apply internal east-west workload segmentation to prevent movement from breached endpoints.
- • Deploy egress filtering and DLP to ensure unauthorized data exfiltration is detected and stopped.
- • Use real-time visibility and anomaly detection to surface brute force and automation attempts for rapid response.
