BBVA haunted by fresh leak claims as customer banking data resurfaces online

Published: 12 May 2026
bbva mexico data allegedly sold on hacker forum

An alleged BBVA leak is haunting Mexico again, with hackers posting customers’ data for sale.

A dataset allegedly tied to BBVA Mexican customers has surfaced on hacker forums, reviving long-running concerns about the security posture of one of the world’s largest banking groups.

Banco Bilbao Vizcaya Argentaria, better known as BBVA, has grown from a Spanish lender into one of Europe's largest financial powerhouses, with total assets exceeding €813 billion and a presence in more than 25 countries.

ADVERTISEMENT

The bank employs roughly 127,000 individuals and has more than 77 million active customers worldwide.

bbva
Screenshot by Cybernews

What data did hackers allegedly steal from BBVA?

The listing that popped up recently on a well-known hacker forum includes a small sample of 13 records containing personally identifiable information.

What BBVA data is allegedly exposed?

  • Full names
  • Phone numbers
  • Partial home addresses
  • Card expiration dates

While the sample provided is limited, Cybernews researchers say that the format differs from previously circulated BBVA leaks, suggesting this may not simply be recycled data from older breaches.

Our researchers warn that such data, in the hands of attackers, can be exploited to craft succesful social engineering attacks that compromise banks’ customers' accounts.

ADVERTISEMENT

At the moment, the dataset's origin and authenticity remain unconfirmed. Cybernews has reached out to BBVA for a comment, but has yet to receive a response.

New leak or recycled breach data?

BBVA has repeatedly appeared in underground cybercrime discussions over the past several years, particularly in relation to alleged breaches involving BBVA Mexico.

One of the most widely circulated incidents dates back to August 2022, when threat actors claimed to be selling up to 3 million BBVA México customer records on the Breached forum. That dataset allegedly included:

  • Full names
  • Tax identification numbers (RFCs)
  • Addresses
  • Account numbers
  • Credit limits

BBVA denied the claims at the time.

According to Cybernews researchers, however, the newly surfaced dataset does not fully match the structure of older leaks.

“In other datasets, there's a full home address instead of a partial one, and there is no info on card details, while this one shows card expiration dates,” our researchers explained.

That distinction may point to a separate compromise or a different source of data collection entirely.

How might attackers have obtained bank customers' data?

ADVERTISEMENT

At this stage, it is impossible to determine definitively how the customer data was obtained.

“This kind of info could've been collected in a variety of ways. It could be either infostealers or a compromised database,” Cybernews researchers said.

Infostealer malware campaigns have increasingly become a major source of data leaks from financial enterprises. This type of malware harvests credentials, autofill data, payment information, and browser sessions directly from infected devices.

Researchers suspect a broader attack spree

Cybernews researchers believe the latest appearance could be connected to a broader pattern of attacks targeting BBVA infrastructure or customers.

“This new listing may be linked to an attack spree targeting the BBVA bank. The bank is likely a constant target due to a lack of security guards somewhere. For example, a lack of employee training or a lack of technical guardrails,” our researchers said.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The bank has increasingly become a target for both data theft operations and malware campaigns aimed at its customers.

One such attack vector was the Revive Android banking trojan, built to mimic BBVA’s two-factor authentication application to steal customer credentials.

According to researchers at Cleafy, the malware supported phishing, keylogging, and account-takeover attacks targeting BBVA users.

ADVERTISEMENT

“Sovereign financial identity” breach claims

Separate intelligence published by Brinztech paints an even more alarming picture. According to the report, a threat actor operating under the alias “MAGO SPEAK” allegedly announced the compromise and public release of an extensive BBVA customer database on high-tier hacker forums in April 2026.

Researchers described the exposed information as a “Total Financial and Civil Blueprint” of affected individuals. The allegedly leaked data reportedly includes:

  • Full names
  • Complete physical addresses
  • RFC tax identification numbers
  • Credit line information
  • Credit card details

The inclusion of Mexican RFC tax identifiers significantly raises the stakes, as they serve as financial and civil identity anchors. The threat actor at the time provided direct download links alongside Telegram contact information to facilitate the distribution of the data.

The bank has also faced regulatory scrutiny over data protection practices in 2024. In a landmark GDPR case, Spain’s data protection authority fined BBVA €5 million after determining that the company had processed personal data without adequate consent mechanisms.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
Español English Português (BR) Français Niederländisch Deutsch Italian (IT)
More from Cybernews
By participating in this viral trend, you help train AI where it struggles the most
Windows hibernation may contribute to SSD wear as storage costs rise
UFO skeptic Michael Shermer apologizes to David Grusch
Man tries to make a sale on Facebook Marketplace, gets scammed out of $300 via Zelle
Critical FFmpeg flaw discovered: just watching a video can fully compromise your system
The world's top intelligence alliance: AI could supercharge cyberattacks within months
ADVERTISEMENT