SVIsual data breach
Categories

Spanish Accessibility Platform SVIsual Breached: 100,000 User Accounts Leaked with Passwords, Security Q&A, and Cookies

  • Posted by Sean Doyle
  • Updated
  • 4 min

A major data breach has reportedly affected SVIsual, a Spanish video-interpretation service designed for the deaf and hard-of-hearing community. The exposed database, now circulating on hacker forums, contains more than 100,000 user records including names, email addresses, phone numbers, dates of birth, passwords, and even security questions and answers. Researchers say the data also includes browser cookies that allow attackers to bypass multi-factor authentication (MFA) protections entirely.

What Happened

According to threat intelligence sources monitoring the dark web, the SVIsual data was posted for sale in late October 2025. The dataset is described as a “full kit” containing all of the information needed for complete account takeover. The database includes personal identifiable information (PII), login credentials, and even session data stolen directly from users’ browsers. Early analysis suggests this is not a direct breach of SVIsual’s servers but the result of an infostealer malware campaign that compromised the devices of thousands of SVIsual users.

  • Source: SVIsual, Spain (EU-based accessibility platform)
  • Date of Discovery: October 2025
  • Records Affected: Approximately 100,000 user entries
  • Data For Sale: Personal data, login credentials, security questions, cookies, and system information

Cybercriminals often use infostealer malware to extract browser-saved passwords, authentication cookies, and session tokens. In this case, it appears the attacker aggregated all stolen SVIsual-related logs into one dataset and then listed them for sale on a hacker forum.

The Data Exposed

The leaked information gives attackers everything they need to permanently hijack user accounts and impersonate victims online. The most concerning items include:

  • Full names, email addresses, phone numbers, and home addresses
  • Dates of birth and gender
  • Logins and passwords (some likely stored in plaintext or weakly hashed form)
  • Security questions and answers, used for password recovery
  • Active authentication cookies that bypass MFA protections
  • Device and browser information such as operating system and IP data

Researchers note that this combination of credentials, cookies, and recovery data is exceptionally dangerous. It gives attackers access to user accounts even if passwords are changed later, as stolen cookies can be reused to hijack sessions instantly.

Why This Breach Is Different

Unlike typical server breaches, which involve a single compromised database, the SVIsual incident appears to be a large-scale collection of malware “logs.” This means individual users’ devices were infected, and the malware exfiltrated all saved browser data, including cookies and security questions. The seller then bundled the data and categorized it under “SVIsual,” targeting victims who used the service.

This type of breach is especially dangerous for several reasons:

  • Active Session Hijacking: Stolen cookies let attackers impersonate users immediately by importing them into a browser, bypassing MFA entirely.
  • Permanent Account Takeover: Exposed security questions allow attackers to reset passwords and lock legitimate users out permanently.
  • Credential Reuse Attacks: The same passwords will be used in credential stuffing attacks across other sites, such as email, banks, and social media accounts.
  • Targeting of a Vulnerable Population: The victims are users of an accessibility service, making this both a privacy breach and an ethical concern due to potential exploitation of a vulnerable group.

Legal and Regulatory Impact

SVIsual operates within the European Union, meaning the incident falls under the General Data Protection Regulation (GDPR), known in Spain as the Ley Orgánica de Protección de Datos Personales. Because the service caters to individuals with hearing disabilities, the leaked data qualifies as “special category data,” which includes health-related and accessibility information that demands the highest level of protection under EU law.

Under GDPR Article 33, SVIsual must report the breach to Spain’s Agencia Española de Protección de Datos (AEPD) within 72 hours of becoming aware of it. Failure to do so could result in heavy fines and enforcement actions. Given that the data includes plaintext passwords, cookies, and recovery question answers, regulators will likely view this as gross negligence in safeguarding sensitive user data.

Cybersecurity Recommendations for SVIsual

To contain and recover from this breach, experts advise that SVIsual take immediate action to secure its infrastructure and notify affected users. Recommended steps include:

  • Force Session Invalidation: Immediately terminate all active sessions to prevent attackers from using stolen cookies for MFA bypass attacks.
  • Force Password Resets: Require all users to change their passwords and prevent the reuse of previous credentials.
  • Reset Security Questions: Invalidate all saved security questions and answers, replacing them with modern recovery methods such as MFA or verified email recovery.
  • Mandatory Regulatory Reporting: File a report with the AEPD within the required 72-hour window to maintain compliance with GDPR.
  • Public Notification: Send a clear, multilingual notice to all users explaining what was leaked and what steps are being taken to protect them.

What Users Should Do

All SVIsual users should assume their accounts are compromised. The following steps can help limit damage and protect against further attacks:

  • Change Passwords Everywhere: Immediately change your SVIsual password and any others that used the same credentials.
  • Enable MFA: Turn on multi-factor authentication on all accounts that support it to reduce future risks.
  • Be Cautious of Phishing Attempts: Attackers may use your personal data, including birth dates or security question answers, to craft convincing phishing emails or texts.
  • Use Reputable Security Software: Install trusted anti-malware tools like Malwarebytes with real-time protection and identity theft monitoring to block further infections or credential-stealing malware.
  • Clean Your Device: Run a full system scan to remove any residual malware or infostealer components that may still be active.
  • Check Account Activity: Review recent logins and active sessions on your accounts, and sign out from unfamiliar devices.

Protecting Accessibility and Privacy

This breach is especially concerning because it targets a service designed to help individuals with disabilities communicate online. The exposure of such sensitive and intimate data not only endangers personal privacy but also undermines trust in digital inclusion platforms. SVIsual and similar organizations must strengthen their cybersecurity posture by implementing stronger encryption, endpoint protection, and user awareness programs.

The SVIsual data breach serves as a warning that cybercriminals are increasingly targeting accessibility and healthcare-adjacent platforms where personal data is both abundant and inadequately protected. As infostealer malware continues to evolve, prevention, real-time monitoring, and user education are now essential for every digital service handling vulnerable populations.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.