Brinztech Alert: Alleged Database of Izipay (Peruvian Fintech) is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of a database allegedly belonging to Izipay (izipay.pe), a major Peruvian payment processor and fintech company (acquired by Intercorp Financial Services). The dataset reportedly contains 364,000 records and is being offered for a low price of $490.

Brinztech Analysis:

• The Target: Izipay provides point-of-sale (POS) and online payment solutions to thousands of merchants across Peru. A breach here primarily impacts small and medium businesses (SMBs) using the platform to accept payments.
• The Data: The leak reportedly includes User IDs, Full Names, Addresses, Email Addresses, and Phone Numbers. While the prompt specifies “customer data,” in the context of Izipay, these “customers” are likely the merchants themselves.
• The Context: This incident surfaces amidst a cybersecurity crisis in Peru. Throughout 2024 and 2025, the country has seen massive data breaches targeting Interbank (1.7 million emails), Movistar Peru (5 million records), and EsSalud (3.3 million records). This new Izipay leak appears to be part of a sustained campaign against Peru’s financial and telecommunications infrastructure.
• The “2025” Date: The “Leak Date: 2025” indicates this is a fresh, active listing. The low price ($490) suggests the data may be a “combolist” or a subset of a larger breach, marketed for quick sale to low-level fraudsters.

Key Cybersecurity Insights

This alleged data breach presents a critical threat to Peruvian merchants and the fintech sector:

• Merchant Fraud & Phishing: The exposed data (merchant names, phones, emails) allows attackers to launch highly targeted Business Email Compromise (BEC) or Smishing attacks. Scammers can impersonate Izipay support, claiming “terminal updates” or “account verification” are needed to steal login credentials or divert settlement funds.
• Financial Sector Vulnerability: The compromise of a payment system highlights potential vulnerabilities within critical financial infrastructure. If attackers can access merchant accounts, they might be able to refund transactions or launder money through the platform.
• Regulatory Impact (LPDP): This breach falls under Peru’s Law for the Protection of Personal Data (LPDP). Izipay faces mandatory reporting requirements to the National Authority for Personal Data Protection (ANPD). The recent surge in breaches has put intense pressure on regulators to enforce stricter penalties.
• Low Barrier to Entry: The $490 price point makes this sensitive B2B data accessible to a broad range of cybercriminals, increasing the likelihood of widespread, uncoordinated attacks against the affected merchants.

Mitigation Strategies

In response to this claim, Izipay and its merchant partners must take immediate action:

• Immediate Incident Response: Izipay must conduct an urgent forensic investigation to confirm the breach source (likely an unpatched web vulnerability or compromised third-party integration). Verify if the 364,000 records match the merchant database.
• Proactive User Notification: Notify all affected merchants immediately. Warn them specifically about fake support calls asking for OTPs or passwords. Remind them that Izipay will never ask for credentials over the phone.
• Enforce Multi-Factor Authentication (MFA): Mandate MFA for all merchant dashboard logins. This is the single most effective defense against account takeover using leaked credentials.
• Enhanced Fraud Monitoring: Implement stricter monitoring for unusual refund activity or changes to merchant bank account details (settlement accounts).

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com