A major data breach has hit Royal Mail Group, with 144GB of sensitive data exposed through a third-party provider breach. The incident shares striking similarities with the recent Samsung Tickets leak, as both originated from the same threat actor and vulnerability.
On April 2, 2025, a hacker known as "GHNA" posted the massive data dump on BreachForums, making it freely available. The leaked information includes customer personal data, internal documents, Zoom meeting recordings, delivery datasets, and a WordPress database from mailagents.uk.
The exposed data spans 293 folders containing 16,549 files. Sample records reveal detailed customer information including names, addresses, package specifics, and planned delivery dates. A compromised Mailchimp mailing list exposed subscriber details like email addresses, phone numbers, and physical addresses.
The root cause traces back to a 2021 Infostealer malware infection that compromised credentials of an employee at Spectos, Royal Mail Group's third-party service provider. This same infection enabled the recent Samsung Tickets breach.
Security researchers note that artificial intelligence tools can rapidly analyze the huge volume of unstructured data, potentially enabling targeted attacks. The Zoom recordings and operational data could be leveraged for social engineering schemes.
"The speed at which AI can process and extract value from such large data dumps dramatically increases the risks," noted cybersecurity experts tracking the incident.
The breach demonstrates how stolen credentials can remain dangerous years after the initial compromise. It also highlights vulnerabilities in supply chain security, as attackers increasingly target third-party providers to access larger organizations.
Royal Mail Group, a British institution with over 500 years of history, now faces potential fallout including identity theft risks, phishing campaigns targeting exposed individuals, and reputational damage.
Organizations are advised to implement continuous security monitoring, strengthen vendor risk management, and regularly rotate credentials to help prevent similar incidents. The growing role of AI in weaponizing stolen data also calls for updated defensive strategies.