On cybercrime forums, even hackers are now wondering whether the latest IBM breach is real data or just another scam wrapped in a billion-dollar name, as IBM starts an investigation into claims of a data breach.
-
A threat actor on a cybercrime forum claims to be selling 681,000 IBM customer records, but published no sample data — only a list of alleged database fields, raising immediate red flags about the listing's legitimacy.
-
Cybernews researchers say the structure of the claimed data doesn't match what IBM typically collects, noting IBM's services are overwhelmingly enterprise-facing and the described fields — including location coordinates alongside personal data — are inconsistent with standard IBM Cloud account formats.
-
The actor behind the listing has been active since 2017 and follows a recurring pattern of posting column names, big brand references, and inflated record counts without evidence — a common forum tactic to attract buyers or scam fellow cybercriminals.
-
While this particular claim appears dubious, IBM has faced real breaches in the past, including the 2026 Salt Typhoon attack on its Italian subsidiary Sistemi Informativi and exposure of approximately 4 million US patient records during the MOVEit breach by Cl0p.
-
IBM told Cybernews, that the company is aware of the situation and is investigating.
In underground cybercrime forums, not every “massive breach” is what it claims to be. Some threat actors chase eternal glory and attention by attaching famous corporate names to questionable datasets.
While others are simply trying to scam fellow scammers into buying recycled or fabricated data. The latest listing allegedly tied to American multinational technology company IBM appears to sit somewhere in that gray zone.
Today, a post emerged on a well-known cybercrime forum in which hackers bragged about breaching IBM's systems. According to the shady post, 681,000 records tied to IBM customers have been extorted and are on sale.
However, the threat actor did not publish any actual sample records to support their claims – instead, they published only a list of alleged database fields supposedly tied to IBM customers. This raises immediate suspicion and may be a red flag.
The listing claims to contain personally identifiable information, though Cybernews researchers say the structure of the alleged data does not align with what IBM typically collects from individual users.
“IBM does not really provide many direct consumer-facing services compared to enterprise offerings,” our researchers noted.
“The closest match would possibly be IBM Cloud account information, but even then, the format described by the threat actor raises questions.”
The conversation on this topic is live. Join in the discussion.
The researchers explained that IBM cloud-related accounts typically include limited billing and account information, such as payment methods, VAT IDs, and addresses.
However, the listing allegedly references additional location coordinates alongside personal data, something researchers describe as unusual and difficult to reconcile with standard account structures.
“It could maybe be login activity logs, but then you would expect additional account-related information alongside it, such as email addresses or device information.”
Are scammers scamming scammers?
The absence of any verifiable sample data further weakens the credibility of the claims.
Our researchers say this type of listing is common across cybercrime forums, where attackers often attach recognizable corporate names to alleged datasets in order to attract buyers and inflate perceived value.
“Listings featuring major brand names generate attention and potentially more profit, regardless of whether the data is authentic,” they explained.
The motivations behind such posts can vary. Some actors seek reputation and visibility within underground communities, while others may simply attempt to scam fellow cybercriminals into purchasing recycled or entirely fabricated datasets.
A bit of both could be the case with the actor behind the IBM listing. According to Cybernews researchers, they have reportedly been active on the forum since 2017, have published multiple similar posts over the years, and their listings frequently follow the same pattern.
They publish only column names, broad institutional references, and large record-count claims without providing substantial evidence.
Cybernews has reached out to IBM for a comment regarding the situation. The company's spokesperson stated that IBM is "aware" of the claims on underground marketplace and started to investigate.
IBM has not been immune to breaches
Despite current claims likely being not very trustworthy, in the past, IBM was not immune to cyberattacks and customer data breaches. In late April 2026, Sistemi Informativi, a company wholly owned by IBM Italy that provides critical IT infrastructure for numerous Italian public administration agencies, was breached by the Chinese-linked APT group Salt Typhoon.
The attack is believed to have been conducted for intelligence-gathering. IBM confirmed the incident, and while services were reportedly restored, the full scope of data exfiltration remains unknown.
In the past, IBM reported that an unauthorized party breached the patient healthcare database it manages for the Johnson & Johnson-owned Janssen CarePath platform.
In the massive MOVEit file transfer breach by the Russian ransomware gang Cl0p, IBM was among the organizations directly affected. The attack exposed the personal data of approximately 4 million US patients whose health records IBM managed.
Updated on May 29th [10:30 a.m. GMT+2] with a statement from IBM.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked