-
A threat actor claims to be selling a large database allegedly linked to WindTre customers.
-
The advertised records reportedly include personal details, device registration data, and subscription information.
-
WindTre has not confirmed the claims, and researchers have not independently verified the authenticity of the dataset.
A threat actor has allegedly put a large customer database linked to Italian telecommunications provider WindTre up for sale on a dark web marketplace, raising concerns about the potential exposure of sensitive subscriber information.
According to information shared by Daily Dark Web Intelligence on X, the seller claims the database contains a broad collection of customer records divided into three categories: Contacts, Device Registrations, and Contract Subscriptions. However, neither Daily Dark Web Intelligence nor WindTre has publicly confirmed that the data is authentic.
If genuine, the dataset could provide cybercriminals with extensive information about subscribers, their connected devices, and their telecom service accounts.
Threat Actor Claims Database Contains Extensive Customer Information
The alleged Contacts database reportedly contains a wide range of personal and account-related information. According to the advertisement, the records include customer names, birth dates, gender details, tax identification numbers, VAT numbers, company information, residential addresses, postal codes, city data, phone numbers, mobile numbers, email addresses, usernames, and password hashes.
The seller claims the dataset includes account status, preferences, marketing permissions, membership data, login logs, privacy consent, and newsletter details.
Similar sensitive data is being sold elsewhere. A dark web seller recently claimed to have 20 million Romanian citizen records, including national identification numbers, showing the demand for European PII.
The threat actor also claims the database includes a device registration section with details on subscriber devices and connected services.
The advertised records allegedly include device identifiers, device categories, notification tokens, Wi-Fi network information, hashed passwords, firmware details, enrollment methods, device nicknames, synchronization logs, failed login counters, connection history, and registration metadata.
The listing also mentions records tied to radio and media devices, suggesting the dataset may go beyond traditional telecom services.
Subscription and Contract Records Could Enable Detailed Profiling
The third category, described as Contract Subscriptions, allegedly contains customer contract and service subscription information.
According to the seller, these records include subscription plans, contract types, service activation dates, billing-related information, account attributes, and other service-related details. The threat actor further claims that all three datasets share common customer identifiers, allowing records to be linked together.
If the claims are accurate, attackers could build detailed profiles of affected subscribers by combining personal, account, and device.
Security experts warn that such information can become highly valuable to cybercriminals. Names, contact information, tax IDs, and service records often form the basis for targeted phishing and social engineering attacks.
Researchers also note that exposed password hashes can heighten security risks, especially when weak hashing methods are used or when related credentials remain active.
Experts Urge Caution as Authenticity Remains Unverified
Cybersecurity analysts say device registration information could provide attackers with insight into customers’ technology environments. Criminals often use this type of intelligence to create convincing impersonation attempts, fraudulent customer support interactions, and account recovery scams.
Experts have also highlighted the potential connection to SIM-swap fraud. Threat actors frequently combine personal information with telecom account details before attempting unauthorized account changes through mobile service providers.
Despite the seriousness of the claims, no public evidence currently confirms the legitimacy, completeness, or freshness of the advertised dataset.
Security researchers caution that dark web listings often contain recycled, outdated, incomplete, or entirely fabricated information designed to attract buyers. As a result, organizations and customers should treat such claims carefully until independent verification becomes available.
Daily Dark Web Intelligence stated that it has not verified the authenticity of the alleged WindTre data. In the meantime, security professionals advise customers to monitor official communications, stay alert to phishing attempts, review account security settings, and enable multi-factor authentication where possible.
Further details may emerge as researchers and stakeholders continue to examine the alleged WindTre dataset and related claims.
