Movistar Data Breach Exposes 4 Million SIM-Swap Kits, Triggering National Fraud Risk

The Movistar data breach has been listed for sale on dark web forums, where a hacker is offering a text file containing more than four million customer records. The leaked data includes full names, phone numbers, and company affiliations, forming a complete verification toolkit for SIM-swap fraud and corporate phishing attacks. Experts have called this breach a national-level emergency for Spain, as the stolen telecom data directly enables bank and identity theft across the country.

Background

Movistar, part of the global Telefónica Group, is Spain’s largest telecommunications provider and one of the most critical infrastructure operators in Europe. The attacker claims to have extracted more than 4 million customer entries, with precise formatting that matches real Movistar subscriber data. Analysts believe this is a confirmed breach of a live database or customer management system. The Movistar Spain data breach exposes exactly the kind of data used by telecom employees to confirm user identity during SIM card support calls, making this incident a direct gateway to financial fraud and account takeovers.

• Victim: Movistar (Telefónica Group, Spain)
• Records leaked: Over 4,000,000
• Data fields: Full name, phone number, company name, and corporate contact information
• Distribution: For sale via a private Telegram contact linked to a hacker forum post
• Primary threats: SIM-swap fraud, vishing scams, and targeted B2B phishing campaigns

Breach Details

This dataset is a ready-made “SIM-swap kit.” Each record provides the name, phone number, and organization data that Movistar agents use to authenticate users. Attackers can impersonate a victim, contact Movistar’s customer service, and easily pass verification checks using these real details. The attacker then claims the phone was lost and requests a SIM replacement, transferring the victim’s number to a new SIM card in the criminal’s possession. Once the number is hijacked, the attacker gains access to SMS-based 2FA codes for the victim’s bank, email, and cryptocurrency accounts, leading to immediate theft.

The inclusion of company information makes this breach even more dangerous. It transforms the incident into a B2B spear-phishing goldmine. With access to real employee names, numbers, and their associated companies, attackers can craft highly believable messages or calls, pretending to be Movistar representatives handling urgent corporate service issues.

Key Cybersecurity Insights

SIM-Swap Fraud Threat

The Movistar data breach provides the exact identifiers needed to trick telecom verification systems. Using a victim’s full name, number, and company context, attackers can pass security questions and port a number to a fraudulent SIM. This lets them intercept banking verification codes, reset passwords, and take over high-value accounts. Banks and crypto exchanges in Spain are now at increased risk, as SIM-swap fraud often leads to rapid account draining before customers even realize their phone has gone offline.

B2B Spear-Phishing Risk

The Movistar Spain data breach also opens new opportunities for corporate phishing. A likely attack scenario involves an impersonator contacting an employee with a fake corporate service message:

“Hola [Victim Name], this is Movistar Business Support. We detected a security issue with your corporate account for [Real Company Name]. Please verify your credentials at the secure link below.”

Because the message references both a real telecom provider and a real company name, victims are far more likely to comply. This enables credential harvesting, ransomware delivery, or unauthorized remote access into corporate networks.

Regulatory Exposure

Movistar operates under the European Union’s General Data Protection Regulation (GDPR). The Movistar data breach qualifies as a high-risk personal data incident due to the exposure of identifiable customer information. Under GDPR, Movistar must notify the Agencia Española de Protección de Datos (AEPD) within 72 hours of discovery. The company must also notify customers directly and cooperate with the Instituto Nacional de Ciberseguridad (INCIBE). With over four million affected users, the company could face fines of up to 4 percent of Telefónica’s global annual revenue, potentially reaching billions of euros.

Mitigation Strategies

For Movistar

• Launch full-scale digital forensics: Engage a DFIR team to validate the breach, identify intrusion points, and assess the scope of data exposure.
• Lock down SIM-swap processes: Immediately suspend remote SIM replacement and require in-person ID verification for all SIM changes until fraud risks subside.
• Report to regulators: Notify the AEPD and INCIBE to comply with legal requirements under GDPR and national cybersecurity law.
• Alert customers nationwide: Transparently warn all subscribers of the breach and the specific threat of SIM-swap scams. Encourage all users to set additional account verification options.
• Train support staff: Introduce additional verification questions and fraud detection scripts for customer service teams to prevent social engineering attempts.

For Affected Customers

• Secure your SIM card: Contact Movistar or your telecom provider immediately to add a “port-out PIN” or verbal password. This prevents unauthorized number transfers.
• Switch from SMS 2FA to authenticator apps: Replace text-based codes with Google Authenticator, Microsoft Authenticator, or hardware keys for all online accounts.
• Monitor all bank and crypto activity: Review your accounts daily for new transactions, payees, or device logins. Report suspicious activity immediately.
• Be cautious of phishing calls and texts: Treat all messages from “Movistar” or “your bank” as potentially fraudulent, even if they contain personal information. Hang up and call the official number printed on your bill or card.
• Scan for malware: If you interacted with any suspicious links or attachments, perform a full device scan using Malwarebytes and update your system.

For Spanish Businesses

• Warn employees: Send immediate internal advisories about the Movistar data breach and the likelihood of telecom-based phishing attacks.
• Protect employee data: Audit public directories and restrict publication of personal phone numbers or contact lists.
• Strengthen authentication policies: Enforce app-based or hardware-based MFA for all business accounts, especially those with payment or IT access.

National and Sector Impact

The Movistar data breach highlights how telecom compromises can ripple across entire economies. By leaking the identities and phone numbers of millions of customers, the attacker has created the perfect foundation for large-scale SIM hijacking, vishing, and business compromise. Spanish financial institutions, telecom regulators, and cybersecurity agencies must coordinate to detect fraudulent SIM activity and block mass exploitation attempts before customer losses escalate.

For continued updates on verified data breaches and broader developments in cybersecurity, visit Botcrawl for ongoing intelligence and practical security guidance.