Hackers say they have GameStop customers' personal data
GameStop customers are implicated in an alleged data leak, with hackers claiming to have breached the video game giant on an illicit marketplace.
-
Hackers claim to be selling an alleged GameStop customer database containing more than 54 million records.
-
Sample records reviewed by Cybernews include names, dates of birth, contact information, addresses, account details, and purchase history, with some records appearing to date from 2026.
-
If the data is genuine, the combination of personal information and purchase history could enable highly convincing phishing, profiling, and social engineering attacks targeting GameStop customers.
-
Cybernews has reached out to GameStop.
The threat actor claims in the listing that the dataset includes over 54 million records. However, at this stage, the real scale of the alleged dataset remains unclear. The alleged attackers shared 86 records to support their claims, but have not disclosed the total number of allegedly affected users.
Headquartered in Grapevine, Texas, GameStop is one of the world's largest video game retailers, selling new and pre-owned games. Apart from video games, it sells consoles, consumer electronics, and collectibles. GameStop operates thousands of physical stores, along with its online platforms.
GameStop drew global attention in 2021 when its stock became the center of an unprecedented short squeeze driven largely by retail investors coordinating on Reddit's communities. The incident caused sharp losses for several hedge funds that had bet against the company's shares.
What data was allegedly exposed?
Cybernews researchers analyzed the sample published alongside the listing and found it contains customer account information, including:
- User IDs
- Full names
- Dates of birth
- Email addresses
- Phone numbers
- Home addresses and ZIP codes
- Account status flags
- Account creation dates
- Last purchase dates
Our researchers noted that while the records span different periods, some leaked purchases date to 2026, suggesting that at least part of the dataset may be relatively recent rather than originating entirely from historical leaks.
"There are 86 sample records available, so it's not possible to determine whether additional records exist," the researchers said.
Without access to the full dataset, it is impossible to verify the seller's claims or determine the total scope of the alleged exposure.
Fresh purchase history could aid scammers
If proven legitimate, the data exposure could put GameStop customers at risk. Our researchers warn that the combination of personal details with customer activity could be highly valuable to cybercriminals.
Primarily, the affected individuals should look out for phishing and social engineering attacks. Knowing what a customer purchased and when allows attackers to impersonate GameStop or related services with a greater chance of success.
For example, customers of GameStop may receive fraudulent emails, customer support calls, or fake delivery notifications.
"The primary risks are social engineering and profiling of the affected individuals," Cybernews researchers explained.
"Attackers could exploit this information to trick victims into revealing more sensitive information, including account credentials or payment details."
Listings on cybercrime marketplaces do not necessarily indicate that a company has suffered a breach.
Threat actors sometimes exaggerate the size of datasets, recycle previously leaked data, or combine records from multiple sources to increase the perceived value of their illicit product.
Cybernews has reached out to GameStop. We will update the article once we receive a response.
Unlock more exclusive Cybernews content on YouTube:
