Brinztech Alert: The Alleged Database of Sports Emotion is on Sale

Dark Web News Analysis

The dark web news reports a significant data breach involving Sports Emotion, a prominent Spanish company operating the e-commerce platforms futbolemotion.com and basketbollemotion.com. A threat actor on a hacker forum is currently selling a database allegedly containing nearly one million lines of customer data.

The seller claims the data is “new” and is accepting offers via escrow, a common method for high-confidence sales. The compromised dataset reportedly includes highly sensitive Personally Identifiable Information (PII) such as User IDs, Full Names, Phone Numbers, Email Addresses, Dates of Birth, and detailed Physical Addresses (Street, Town, Province, Zip Code, Country). While the majority of affected users are in Spain, the breach also impacts customers in Portugal, Italy, France, and Mexico.

Key Cybersecurity Insights

Breaches of pan-European e-commerce sites carry heavy regulatory and personal security weights:

• GDPR & Regulatory Fines: Since the victims are primarily located in Spain, Portugal, France, and Italy, this breach falls squarely under the jurisdiction of the GDPR. The exposure of 1 million records could lead to massive fines from authorities like the AEPD (Spanish Data Protection Agency) if negligence is proven.
• Delivery Phishing (Smishing): The combination of Phone Numbers and Physical Addresses is the perfect recipe for “Failed Delivery” scams. Attackers can send SMS messages pretending to be a courier (e.g., SEUR, Correos, or DHL) citing a real package issue at the victim’s specific address to steal credit card details.
• Physical Security: Unlike digital-only breaches, this leak exposes exactly where customers live. For high-profile individuals (e.g., professional athletes who shop at premium sports retailers), this poses a physical privacy risk.
• E-commerce Vulnerability: The fact that data was extracted from both futbolemotion and basketbollemotion suggests a shared backend vulnerability—likely an unpatched CMS flaw or a shared database improperly secured against SQL injection.

Mitigation Strategies

To protect customer trust and comply with the law, the following strategies are recommended:

• Regulatory Notification: Sports Emotion must notify the AEPD and other relevant European data protection authorities within 72 hours of confirming the breach to mitigate potential sanctions.
• Customer Communication: Proactively inform customers in Spain and abroad about the specific data exposed. Warn them explicitly to ignore SMS messages asking for “customs fees” or “redelivery payments.”
• Password Reset: Although passwords were not explicitly mentioned in the sales listing, it is standard procedure to force a Password Reset for all accounts to prevent potential credential stuffing if the actor omitted that field from the public sample.
• Vulnerability Scan: Conduct an immediate penetration test on the checkout and user profile modules of both websites to identify and patch the exfiltration point.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com