TALKTALK has launched an investigation into a third-party data breach, after a hacker allegedly put customers’ details for sale online.
A statement from a hacker known as “b0nd” claimed they were selling data obtained in a breach in January 2025.
“As the title says today we will list for sale a large data breach involving TalkTalk,” b0nd’s post on a hacker forum read.
“This breach took place January 2025 and affects 18,839,551 current and previous customers.”
However, the almost 19million cited by the cyber crook is much more than the number of customers TalkTalk has.
The Sun understands the breach affects a small number of customers, and that the data refers to lines of code rather than individual profiles.
In a statement, TalkTalk said that no billing or financial information was at risk.
“As part of our regular security monitoring, given our ongoing focus on protecting customers’ personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier’s systems, however, no billing or financial information was stored on this system,” a TalkTalk spokesperson said.
“Our investigations are ongoing, however we can confirm that the number of potential customers referred to in certain online posts is wholly inaccurate and very significantly overstated.”
Although, the hacker claimed that customers’ names, emails, last-used IP address, business phone number and home phone number had been exposed.
TalkTalk is currently working with the third-party, believed to be subscription management platform CSG Ascendon.
Screenshots shared by the hacker suggest the data was possibly stolen from Ascendon, rather than directly from TalkTalk.
TalkTalk has historically used CSG Ascendon’s services.
[bc_video account_id=”5067014667001″ application_id=”” aspect_ratio=”16:9″ autoplay=”” caption=”I’m terrified after getting threatening email demanding $2k ransom that included pics of my home & all my personal info” embed=”in-page” experience_id=”” height=”100%” language_detection=”” max_height=”360px” max_width=”640px” min_width=”0px” mute=”” padding_top=”56%” picture_in_picture=”” player_id=”default” playlist_id=”” playsinline=”” sizing=”responsive” video_id=”6362730363112″ video_ids=”” width=”640px”]In a statement, a CSG spokesperson told BleepingComputer: “On Jan. 21, 2025, CSG learned that an external party gained unauthorised access to a single provider’s data residing on a CSG platform.
“We have no evidence that CSG’s technologies and systems were compromised or that CSG was the cause of the unexpected access to the data.
“CSG provided immediate containment and is actively supporting our customer.”
In 2015, TalkTalk suffered a data breach where a 17-year-old hacker accessed the personal details of 160,000 customers.
The incident led to a £400,000 fine by the UK Information Commissioner’s Office.
Data exposed
A name, email address and phone number is all scammers need to swindle unsuspecting victims.
It’s important to always be wary of emails from unknown senders, as well as texts and calls.
These personal details can be used to entice people into a scam, or used to gain more information about a potential victim.
Delivery scams are rampant – and only require a name, email address or phone number.
“If you get a message that asks you to pay to get the parcel or reschedule the delivery, it’s usually a scam,” warns Citizens Advice.
“Don’t click any links in the text or email. Delivery companies won’t ask you to pay them through a link in an email or text.”
Citizens Advice also cautions the public to avoid giving away personal information to people they don’t know.
“Some scammers try to get your personal information – for example, the name of your primary school or your National Insurance number,” the organisation explains.
“They can use this information to hack your accounts.”
That means also being careful of how much you share on social media.