Ukrainian Internet Provider “express” Allegedly Breached

Ukrainian internet service provider “Express” (express.net.ua) has allegedly become the victim of a significant data breach. A threat actor has posted a database containing what is claimed to be sensitive information of nearly 390,000 users for sale on a dark web forum. Express is a regional telecommunications company that provides home and business internet services across various parts of Ukraine, including the Zaporizhzhia region. The breach could impact a substantial number of the company’s customers, exposing their personal and financial information.

The threat actor claims the dump contains a total of 388,607 lines of user, payment, and operational data extracted from the company’s servers. The sale post details multiple CSV files, suggesting a comprehensive exfiltration of the provider’s records. Samples of the data appear to corroborate the claims, revealing a wide range of sensitive information.

The allegedly leaked data includes:

• User Information: Full names, passwords, phone numbers, and internal account details.
• Payment and Financial Data: Detailed payment records from various services, including transaction IDs and, in some cases, customer names and addresses embedded in XML data.
• Service Requests and Memos: Customer service requests which include user addresses, connection and disconnection dates, and internal staff comments.
• New User Applications: Information from new user applications containing names, phone numbers, and street addresses.
• Administrative Data: The actor also claims to have admin logins and password hashes.