-
A threat actor going by “Jeffrey Epstein” boasts of stealing personally identifiable credentials from more than 400,000 Belgian end users of bol, the Dutch online retailer.
-
The alleged dataset contains full names, addresses, email addresses, phone numbers, dates of birth, order history, shipping data, and payment data.
-
Bol has found no evidence of a breach and confirms all systems are operating normally.
A hacker just put bol, the biggest online retailer in the Netherlands and Belgium, at the center of a serious data theft claim. The threat actor, operating as “Jeffrey Epstein,” says it exfiltrated a voluminous dataset carrying the personal information of more than 400,000 Belgian bol customers. Meanwhile according to Bol, nothing unusual appeared but the alleged stolen data is likely on sale on the dark web.
Hacker Posts Sample, Opens Negotiation on Dark Web
The actor uploaded a sample of the alleged stolen data to a dark web forum, giving potential buyers a chance to verify the material before striking a deal. The hacker directed all interested parties to make contact through Telegram or Session. “The price is negotiable,” the dark web post reads.
According to the attacker, the dataset holds full names, complete address details, email addresses, phone numbers, dates of birth, order history, shipping data, tracking numbers, and payment data. The hacker claims the theft excluded passwords and direct financial credentials but the remaining data is still extraordinarily sensitive.
Bol’s spokesperson addressed the claim publicly, telling Dutch tech outlet Tweakers.net: “We are taking this report seriously, but we currently have no evidence of a hack or attack. All systems are operating normally, without any ransomware flags.”
The denial is direct but it does not close the case. Hackers frequently list stolen data for sale long before their targets detect any signs of intrusion. Bol has not confirmed whether it launched a formal internal investigation or engaged outside security experts to examine the hacker’s sample.
Bol is no minor target. Founded in 1999, the retailer serves over 14 million customers across the Netherlands and Belgium through more than 44,200 sales partners, who collectively list over 56 million products. Bol recorded net sales of €3.1 billion in 2024, while profits climbed 22% to €185 million, cementing its position as the dominant e-commerce brand across the Benelux region.
Stolen Data Arms Criminals for Large-Scale Fraud and Identity Theft
The alleged dataset is dangerous not because of any single data point, but because of what all those points reveal together. Criminals who hold names, home addresses, email addresses, phone numbers, and detailed order histories carry a complete toolkit for launching personalized, high-conviction attacks.
A threat actor with a victim’s recent purchase history can craft a convincing fake shipping notification or a fraudulent customer service message that references specific order details. The victim recognizes familiar information and finds no obvious reason to question the message. This method drives credential theft, account takeovers, financial fraud, and identity theft at scale.
This breach is not an isolated incident. It fits a larger, accelerating pattern. Cybernews researchers recently uncovered a live criminal operation silently draining booking data from European hospitality platforms, pushing it directly into a Telegram channel in real time.
That breach exposed booking records from over 173 properties and the personal details of nearly 5 million hotel guests including full names, phone numbers, email addresses, dates of birth, and in some cases, full ID document numbers. The attackers ran the entire operation through 527 compromised hotel accounts, making the activity look completely normal to the platforms hosting them.
What You Should Do Right Now
Customers who shop on bol need to tighten their defenses immediately. Enable two-factor authentication on all accounts linked to your bol email address. Watch your inbox closely for suspicious messages, especially anything referencing recent orders.
Treat any unexpected call claiming to represent bol or an affiliated delivery company with serious caution. Criminals armed with real order details can sound completely legitimate.
The China data breach extortion demand, where hackers asked for crypto payment just for a peek at stolen records — shows that personal data has become a currency in its own right on the dark web, and consumers everywhere must remain vigilant against the fallout from these breaches.
Until bol concludes its investigation and provides a clear public update, the threat remains active. Do not wait for the company to notify you first.
