CTT Breach: 468K Emails, Names & Phones Exposed (2026)
In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum . The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.
Overview
In April 2026, a dataset allegedly stolen from CTT (Correios de Portugal), Portugal’s national postal service, was posted to a public hacking forum. The breach exposed approximately 468,124 unique email addresses, along with names, phone numbers, and parcel tracking numbers. The tracking numbers are of particular concern because they can be used to retrieve parcel delivery history, revealing sensitive details about users’ shipping habits and locations. The breach was reported to Have I Been Pwned, making it easy for affected customers to verify if their data was compromised.
What Was Exposed
The exposed data includes:
- Email Addresses – Primary account identifiers used for login and communication.
- Names – Full names linked to postal service accounts.
- Phone Numbers – Direct contact information.
- Parcel Tracking Numbers – These can reveal delivery routes, sender and recipient addresses, and parcel history, which could be used for social engineering or targeted scams.
While no passwords or financial data were directly exposed, the combination of personal identifiers makes this a HIGH severity incident. Attackers can use email addresses and phone numbers for phishing campaigns, while tracking numbers enable more sophisticated fraud, such as impersonating CTT support to request “delivery verification” or “customs fees.”
How the Breach Happened
The exact attack vector has not been publicly confirmed by CTT at this writing. However, the data appearing on a public hacking forum suggests either an insider leak, a compromised database, or a vulnerability in CTT’s customer-facing systems. Given that tracking numbers were included, the breach likely involved a backend system storing customer orders and delivery records, rather than just marketing data.
This incident mirrors other postal service breaches (e.g., Royal Mail, Australia Post) where tracking numbers were used to craft convincing phishing emails about “undelivered packages.” Users should be alert for such campaigns in the coming months.
Risks to Affected Users
- Phishing & Smishing – Attackers can send realistic emails or SMS messages referencing your parcel tracking number, asking you to click a link or call a fake support line.
- Social Engineering – With your name and phone number, scammers can pose as CTT representatives to extract more sensitive information, like payment card details or home addresses.
- Privacy Invasion – Parcel tracking history reveals what you ordered, when, and where it was delivered, potentially exposing purchase habits or embarrassing items.
How to Check If You’re Affected
Visit Have I Been Pwned and enter the email address you used with CTT. If your email appears in the breach, assume your name and phone number are also exposed. CTT may also be notifying affected customers directly. Do not provide additional personal or financial information in response to unsolicited messages.
What to Do Right Now
- Enable Two-Factor Authentication (2FA) on any CTT account that supports it, and on your email account.
- Be skeptical of unsolicited messages mentioning your tracking number. Contact CTT directly via their official website or phone number if you need to verify a delivery.
- Monitor for phishing attempts - delete suspicious emails and SMS messages without clicking. Report them to CTT’s security team.
- Change your CTT account password if you haven’t done so recently, and use a unique password not shared with other services.
Security Insight
This breach underscores a recurring vulnerability across national postal services: the reliance on simple tracking numbers as authentication tokens. While not credentials per se, tracking numbers expose behavioral data - what users buy, where they ship, and when they’re away from home. CTT’s failure to protect these identifiers suggests a broader lack of security hardening in their customer-facing IT infrastructure. Postal services worldwide should adopt tokenized tracking links (expiring, single-use) and enforce multi-factor authentication for account access.
Further Reading
Investigate Breaches Safely with NordVPN
Researching exposed data, paste sites, or threat actor infrastructure? Route your OSINT traffic through a VPN to avoid attribution and keep your investigation IP separate from your corporate network.
Get NordVPN for ResearchAffiliate link — we may earn a commission at no extra cost to you.
Never miss a data breach report
Get real-time security alerts delivered to your preferred platform.
Related Breach Reports
In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group . Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo s...
In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group . The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets. In ...
In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group . Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with te...
In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group . The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data. The trove included hundreds of thousands of e...