{"id":650507,"date":"2026-05-28T17:30:45","date_gmt":"2026-05-28T15:30:45","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=650507"},"modified":"2026-05-28T19:22:47","modified_gmt":"2026-05-28T17:22:47","slug":"telkom-says-no-evidence-that-its-systems-were-compromised-after-hacker-claimed-to-have-customer-records-for-sale","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/650507-telkom-says-no-evidence-that-its-systems-were-compromised-after-hacker-claimed-to-have-customer-records-for-sale.html","title":{"rendered":"Telkom says no evidence that its systems were compromised after hacker claimed to have customer records for sale"},"content":{"rendered":"\n

Telkom said that there is no evidence to indicate that its systems have been compromised or that customer data has been accessed, sold, or exposed.<\/p>\n\n\n\n

This statement comes after a hacker claimed to be selling records of private customer data from Telkom on the deep web.<\/p>\n\n\n\n

An alleged 742,000 records of private data from Telkom customers were put up for sale on the dark web by a threat actor tied to several recent data breach claims in South Africa.<\/p>\n\n\n\n

MyBroadband was unable to independently verify whether the leak was legitimate, and Telkom said its internal investigation found no evidence that its systems were compromised.<\/p>\n\n\n\n

The South African telecommunications giant also said there was no evidence that customer data was accessed by outside actors.<\/p>\n\n\n\n

In a post on a hacker forum, threat actor Databasehooligan claimed to have obtained a dataset of Telkom’s customer contact records.<\/p>\n\n\n\n

The post was similar to several others offering the sensitive data of South Africans for sale, including alleged breaches at Midas<\/a> and the Wanderers Club<\/a>.<\/p>\n\n\n\n

As for the Telkom dataset, the threat actor was offering the data for the equivalent of R14,780, claiming it would include contact details, subscription information, and support ticket details.<\/p>\n\n\n\n

“The data is fresh and organised across 3 main sections, useful for research, analysis, or understanding the structure of South Africa’s relevant sector,” they claimed.<\/p>\n\n\n\n

MyBroadband saw samples of the data, which showed email addresses, mobile phone numbers, and the product they are subscribed to. However, the most recent dates in the samples are only for 2024.<\/p>\n\n\n\n

“Upgraded modem remotely. Customer confirmed a stable connection. Issue resolved,” one of the lines of the set read, which included a customer’s full name, email address and phone number.<\/p>\n\n\n\n

Meanwhile, the subscription contract database list contained information such as contract type, the amount certain customers were paying, and their status (Active, cancelled, etc.).<\/p>\n\n\n\n

We could not identify any personally identifiable information in the subscription dataset other than contact IDs, which might be linked to private details in the other datasets.<\/p>\n\n\n\n

The threat actor was selling a complete spearphishing kit, including all the necessary data to target and exploit what it claimed were Telkom customers.<\/p>\n\n\n\n

Telkom said it remained vigilant and would continue investigating any claims that its systems were compromised or that its customer data was leaked. <\/p>\n\n\n\n

“Telkom employs robust, multi-layered cybersecurity measures and continuous monitoring to safeguard customer information and protect against malicious activity,” the company said. <\/p>\n\n\n\n

Threat actors target South African companies<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

On 27 May 2026, Databasehooligan posted sales offers for alleged databases of the Wanderers Club, car parts supplier Midas, and Telkom, all within a 7-minute period.<\/p>\n\n\n\n

Each dataset contained customer contact information and other private data allegedly stolen from each company’s systems.<\/p>\n\n\n\n

All three of the posts were written and constructed in the same manner, which indicated the use of generative AI or agentic technology aiding the threat actor.<\/p>\n\n\n\n

The Midas data set was offered for the equivalent of R17,974 and allegedly contained approximately 463,000 records of customer data, including sales orders, email addresses, and mobile numbers.<\/p>\n\n\n\n

Like the other sales of private data hosted by the threat actor, the Midas set is a pre-made spearphishing kit with the actor claiming it “provides a detailed look at the organisation’s operations.”<\/p>\n\n\n\n

It is unknown exactly when the three data breaches took place. However, the timing of the listings coincides with a wave of distributed denial-of-service (DDoS) attacks in South Africa.<\/p>\n\n\n\n

Between at least 10 May and 23 May 2026, numerous South African Internet infrastructure companies suffered service disruptions due to a large-scale DDoS campaign.<\/p>\n\n\n\n

No threat actor groups have publicly claimed involvement with the campaign, but at least seven major providers were affected, according to our investigation.<\/p>\n\n\n\n

This included Seacom, Host Africa, Xneelo Network Platforms, 1-Grid, Datakeepers, Diamatrix and Liquid Intelligent Technologies.<\/p>\n\n\n\n

The series of widespread DDoS attacks resulted in Internet service outages for South Africans, with numerous reports of downtime recorded on Downdetector.co.za.<\/p>\n\n\n\n

Security researchers have told MyBroadband that cybercriminal groups have used mass DDoS campaigns to divert attention from other activities, including company data breaches.<\/p>\n\n\n\n

However, Telkom said that the allegations of a breach were unrelated to network disruptions experienced during the period when the DDoS attacks were taking place.<\/p>\n\n\n\n

The company also previously told MyBroadband that it had not been targeted by the DDoS attacks that swept the country in mid-May.<\/p>\n\n\n\n

\n\n\n\n

Samples of supposed Telkom data for sale on the dark web<\/h2>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n","protected":false},"excerpt":{"rendered":"

Telkom said that there is no evidence to indicate that its systems have been compromised or that customer data has been accessed, sold, or exposed.<\/p>\n","protected":false},"author":341213,"featured_media":639965,"comment_status":"open","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[15227,63066,105541,2242,105562,91267,109,105563],"class_list":["post-650507","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-cybersecurity","tag-data-breaches","tag-databasehooligan","tag-ddos","tag-ddos-campaign","tag-midas","tag-telkom","tag-wanderers-club"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/650507"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=650507"}],"version-history":[{"count":16,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/650507\/revisions"}],"predecessor-version":[{"id":650728,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/650507\/revisions\/650728"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/639965"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=650507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=650507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=650507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}