Hackers Claim Breaches at Bancolombia and Banco de Bogota
Hackers have claimed breaches at Grupo Bancolombia and Banco de Bogota, with purportedly stolen data posted on DarkForums by what researchers said appeared to be the same threat actor. According to reporting cited by Cybernews and SC Media, the alleged Bancolombia leak included screenshots of an internal content management system showing customer names and login/logout timestamps, as well as PDF files containing customer and advisor names, location details, and insurance plan information.
The alleged Banco de Bogota exposure reportedly involved nearly 30 records containing full names, physical addresses, and phone numbers. Researchers said the breach claims had not been independently verified, but warned that even limited personal data could be combined with information from other leaks to support phishing, social engineering, and other targeted attacks against affected customers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers warn leaked bank data could enable phishing attacks
Cybernews reported that the alleged breach had not been verified but warned that exposed customer information could be cross-referenced with other breached data to support phishing, social engineering, and targeted intrusions against affected bank customers.
Threat actor posts alleged Colombian bank data on DarkForums
A threat actor allegedly listed purportedly stolen data from Grupo Bancolombia and Banco de Bogota on DarkForums. The Bancolombia material reportedly included screenshots of an internal CMS and PDF files with customer and advisor information, while the Banco de Bogota listing allegedly exposed about 30 records with names, addresses, and phone numbers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
Mar 21, 2026
Multiple High-Profile Data Leaks and Ransomware Attacks Impact Financial and Government Entities
Several significant data leaks and ransomware incidents have surfaced, affecting a range of organizations including Banco Vimenca, WIRED subscribers, Mexico’s Tax Administration Service (SAT), and New Zealand’s Neighbourly platform. Threat actors have claimed responsibility for exposing sensitive data such as government financial records, large-scale subscriber information, and user communications, with some incidents linked to ransomware groups. While the authenticity of these dark web postings remains unverified, the breadth of affected entities highlights ongoing risks to both financial institutions and government agencies from cybercriminal activity. In the United States, two banks—Artisans' Bank and VeraBank—have notified thousands of customers that their personal information was compromised in a ransomware attack on Marquis Software, a vendor providing data analytics and communication services to financial institutions. The attack, traced to a vulnerability in a SonicWall firewall, resulted in the exposure of names and Social Security numbers, though the banks’ own systems were not directly breached. These incidents underscore the persistent threat posed by supply chain vulnerabilities and the importance of robust third-party risk management for organizations handling sensitive data.
Mar 21, 2026
Threat Actor Claims Theft of 400,000 Bol Customer Records
A threat actor using the alias **"Jeffrey Epstein"** claimed to have stolen data on more than **400,000 Belgian customers** of Dutch online retailer **Bol** and advertised the dataset for sale on a dark web forum. Reports said the actor published a sample to support the claim and directed prospective buyers to negotiate through **Telegram** or **Session**. The allegedly exposed records include names, birthdates, phone numbers, email addresses, physical and shipping addresses, tracking numbers, order history, and some payment-related details, though reports said **passwords and bank or financial data were not included**. Bol said it was taking the claim seriously but had **no evidence of a hack or attack**, that its systems were operating normally, and that **no ransomware** was involved; if the data is genuine, it could be used in phishing, identity theft, and fraud targeting affected customers.
May 25, 2026