Listen to this Post
Telefónica Faces Fresh Breach Claims Amidst Rising Ransomware Tensions
In the latest chapter of escalating cyber threats in Europe, Spanish telecommunications giant Telefónica is under the spotlight once more after a hacker, known as “Rey”, claimed responsibility for stealing a massive trove of internal data. This time, the threat actor says they exfiltrated over 106GB of sensitive data, allegedly undetected for 12 hours. Despite growing online evidence and pressure from media outlets, Telefónica has yet to publicly confirm or deny the breach. The incident follows a similar compromise in January 2025 by the same threat group—Hellcat Ransomware—raising serious concerns about Telefónica’s vulnerability and ongoing reliance on misconfigured systems.
The hacker has already released a 2.6GB sample archive, unpacking into over 20,000 files, to prove the authenticity of the breach. These files include purchase orders, internal emails, customer records, and employee data spanning several countries. Telefónica has remained silent, while only one O2 employee dismissed the claims as extortion based on outdated information. Despite this rebuttal, the hacker continues to leak files to back up their narrative, threatening full disclosure unless the company complies.
Telefónica’s Security Breach: What’s Really Going On?
The cybersecurity world is buzzing after the self-proclaimed hacker “Rey”, a member of the Hellcat Ransomware group, claimed responsibility for a 106.3GB data breach at Telefónica. According to Rey, the breach took place on May 30, when a Jira server misconfiguration left the telecom company’s internal systems exposed for 12 hours. During this window, Rey reportedly exfiltrated a massive volume of files—over 385,000, containing everything from internal communications and logs to employee and client data across Europe and Latin America.
To prove the legitimacy of the hack, Rey leaked a 2.6GB archive, which expands to about 5GB and over 20,000 files. These files reportedly contain documents such as invoices, employee email addresses, and business contracts from countries like Hungary, Spain, Chile, Germany, and Peru. The most recent timestamp found in the leaked documents is from 2021, lending weight to Telefónica’s internal suggestion that the data might be from an older breach. Still, Rey insists that the dump is fresh and directly connected to the May 30 incident.
What adds further intrigue is Telefónica’s silence. Attempts by journalists to elicit a response from multiple executives at the company, including through emails and direct outreach, have gone unanswered. Only one spokesperson from Telefónica O2 (its UK and German arm) responded—labeling the claims as a recycled extortion scheme. Despite this denial, leaked email addresses appear to belong to currently active employees, challenging the official dismissal.
The hacker appears intent on escalation. After initial leaks were taken down by PixelDrain due to legal concerns, Rey switched to Kotizada, a shady storage platform flagged by Google Chrome as unsafe. His threat is clear: if Telefónica continues to ignore him, the entire 106GB archive will be released over the coming weeks.
Hellcat Ransomware is no stranger to high-profile targets.
What Undercode Say:
Telefónica’s Security Woes Reflect a Larger Pattern
This latest alleged breach at Telefónica is more than just an isolated incident. It exposes a repeating vulnerability pattern that isn’t just unique to one company but echoes across the digital infrastructure of many global firms. At the heart of the issue lies poor server configuration, particularly with Jira—an internal development and ticketing system used widely across industries. While Jira is a powerful productivity tool, it can become a hacker’s gateway if not properly secured.
The fact that Hellcat Ransomware successfully infiltrated Telefónica twice in a matter of months speaks volumes about the company’s incident response and security patching cadence. If the same group can exploit similar vulnerabilities twice, it raises serious red flags. Did Telefónica fail to patch the gaps identified during the January breach? Or worse, did they simply assume the threat actor wouldn’t return?
Moreover, Rey’s decision to publicly leak a portion of the stolen data marks a strategic move. By offering verifiable proof early, they aim to control the narrative and build credibility, even as Telefónica attempts to downplay the threat. The presence of recent employee email addresses also pokes holes in the company’s claim that this is just a recycled scam based on old data.
From a threat intelligence perspective, this situation underscores the rising aggression and boldness of modern ransomware groups. Gone are the days of silent data theft. Today, attackers are adopting a marketing-like approach, complete with teaser dumps, deadlines, and public shaming tactics—all designed to maximize pressure.
The case also highlights a worrying complacency among legacy telecom companies. With increasing digitization and cloud migration, these firms must reevaluate their cyber posture and resilience. Telefónica’s reluctance to acknowledge the incident may be driven by fears of reputational harm or regulatory penalties, especially in data-sensitive regions like the EU. But silence isn’t always golden—especially when the attacker is leaking proof by the day.
Hellcat Ransomware’s target profile and history further underscore their focus on companies with known Jira dependencies. This specialization allows them to move fast, hit hard, and exploit the same weakness across multiple enterprises. It’s a call to action for organizations globally: review your Jira configurations now.
Lastly, the incident reflects broader trends in 2025’s cybersecurity landscape. As the Wiz security report notes, attackers continue to succeed using surprisingly simple methods. From exposed cloud buckets to basic server misconfigs, the doors are wide open. It’s not necessarily advanced zero-days or state-level malware doing the damage—it’s negligence.
In the battle between attackers and defenders, awareness and response time make all the difference. Telefónica now faces a public test: either come forward and acknowledge the breach, or risk losing control over a narrative that’s being shaped by the attackers themselves.
🔍 Fact Checker Results:
✅ The leaked data includes email addresses of active Telefónica employees
✅ The hacker provided a 5GB sample to prove breach authenticity
❌ Telefónica has not officially confirmed the May 30 breach
📊 Prediction:
If Telefónica continues to remain silent, Hellcat Ransomware will likely escalate its release schedule, pushing out the full 106GB archive in weekly increments. Other companies using Jira without hardened configurations may also become targets, sparking a new wave of similar attacks across Europe and Latin America. Expect public pressure on Telefónica to mount, forcing regulatory bodies like Spain’s AEPD or the EU’s GDPR enforcers to step in.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
