ValueText data breach
Categories

The ValueText Data Breach Exposed 128,000 Mexican Phone Numbers and PII for Smishing at Scale

The ValueText data breach has allegedly exposed more than 128,000 customer records from a business SMS marketing platform with a heavy focus on Mexico. A threat actor is selling the database on a hacker forum for 300 dollars and claims the dataset includes names, addresses, emails, and unique phone numbers. This leak is a direct pipeline for smishing and vishing campaigns across Mexico and raises urgent regulatory questions under the country’s privacy law. For more coverage, see our data breaches and cybersecurity sections.

Background of the Breach

Dark web monitoring identified a listing for a database allegedly sourced from ValueText, a B2B SMS and A2P messaging platform. The threat actor emphasizes a Mexico-centric dataset and offers a sample to prove authenticity. The post describes a ready-to-use list for mass SMS fraud, with more than 128,000 unique records tied to specific individuals and addresses.

What Was Exposed

The seller advertises a “full kit” of personally identifiable information designed for targeted scams. Based on the listing, the dataset includes:

  • Full PII: Names and postal addresses
  • Unique mobile phone numbers: The primary asset for SMS and WhatsApp abuse
  • Email addresses: Useful for cross-channel phishing and account enumeration

This combination allows attackers to craft convincing messages that reference real names and delivery addresses, which significantly increases click-through and data theft rates. It also enables coordinated phone and email follow-ups that validate the scam narrative.

Why This Breach Is Critical

This incident is less about corporate impact and more about direct harm to the 128,000 plus individuals listed in the file. The dataset is a turnkey resource for criminal groups to launch high-conversion smishing and vishing waves in Spanish, with personal details that defeat common sense checks.

Smishing and Vishing Goldmine

Attackers can run delivery, banking, and bill payment scams that cite the victim’s real name and address. Example in Spanish:

“Hola [Nombre], hay un problema con la entrega en [Dirección Real]. Para liberar el paquete, pague la tarifa de aduana aquí: [enlace].”

Victims who see accurate personal data are far more likely to click, submit card details, disclose banking credentials, or share one-time passwords.

Credential Stuffing Signal

The need to reset client passwords suggests the breach may include business client account data for companies that use ValueText. Even if passwords are hashed, the exposure creates a standard credential stuffing risk across those clients’ other services.

Regulatory Exposure under LFPDPPP

Mexico’s Federal Law on Protection of Personal Data (LFPDPPP) treats names, addresses, emails, and phone numbers as personal data. ValueText acts as a data processor, and its business customers are the data controllers. Controllers must notify affected individuals and the national regulator INAI when a breach poses a significant risk. Failure to comply can trigger investigations, sanctions, and reputational damage.

Likely Attack Scenarios

  • Parcel and customs scams: Payment requests for fake delivery or customs fees using real addresses.
  • Bank account phishing: SMS messages claiming account holds or suspicious activity, followed by credential harvesting pages.
  • Utility and insurance impersonation: Urgent payment links that steal card data or enroll victims in recurring charges.
  • Multi-channel escalation: SMS followed by WhatsApp voice calls to pressure victims into sharing OTPs.

Mitigation Strategies

For ValueText

  • Immediate investigation: Validate the dataset and identify the vector, such as an exposed database or API flaw.
  • Notify all business clients: Provide indicators of compromise, timeline, and guidance for customer communication.
  • Force password resets and require MFA: Apply to every client account to reduce credential stuffing risk.
  • Report to INAI: Coordinate with legal counsel to meet notification obligations under LFPDPPP.
  • Harden data handling: Apply data minimization, encryption at rest, and strict access controls. Add leak detection and secret scanning to CI and storage tiers.

For Affected Individuals in Mexico

  • Treat all unsolicited texts as suspicious: Even if a message includes your real name or address, do not click links or reply.
  • Never share OTPs or banking details by text: Banks and delivery firms will not ask for one-time passwords over SMS or WhatsApp.
  • Verify directly: For deliveries or billing issues, use official apps or websites you enter yourself, not links you receive.
  • Block and report spam: Use your carrier and device tools to block numbers and report abuse.
  • Scan your devices: Run a full check with trusted anti-malware software or deploy Malwarebytes if you clicked any links or installed apps recently.

For ValueText Business Clients

  • Assess exposure: Determine which customer lists or fields were in ValueText and prepare notifications.
  • Enable MFA and rotate API keys: Update credentials for any integration with ValueText, and review sending permissions and webhooks.
  • Preemptive customer alert: Warn customers about incoming SMS fraud in Spanish and provide examples of what scams look like.
  • Strengthen consent and list hygiene: Remove stale numbers, enforce double opt-in, and audit data retention policies.

Legal and Regulatory Considerations

Controllers that used ValueText for outreach are responsible for notifying affected individuals and INAI when the risk threshold is met. Processors must inform controllers without delay and document containment actions. Clear records of the incident, remediation steps, and customer notifications will be important for regulatory review.

Outlook

The ValueText data breach is a classic A2P abuse scenario that turns marketing datasets into high-yield fraud pipelines. Expect rapid smishing waves that reference real names and addresses. Public communication, faster fraud reporting, and strict list governance will be the fastest way to reduce harm. Continued awareness campaigns in Spanish, along with technical controls like domain and link takedowns, will be necessary to blunt the next phases of this operation.

For ongoing reports on data breaches, practical cybersecurity guidance, and scam alerts, follow our coverage.

Written by

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

More Reading

Post navigation

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.